mORMot Open Source

I'm testing a website from a security perspective.
On a website which uses mORMot 1.18 every request made by an authenticated user is in this format:

../search_items?session_signature=0000004C000F6DD02E24541C as reported within the framework docs

    Here is typical signature to access the root URL

    root?session_signature=0000004C000F6BE365D8D454

    In this case, 0000004C is the Session ID, 000F6BE3 is the client time stamp (aka nonce), and 65D8D454 is the signature, checked by the following Delphi expression:

    (crc32(crc32(fPrivateSaltHash,PTimeStamp,8),pointer(aURL),aURLlength)=aSignature);

    For instance, a RESTful GET of the TSQLRecordPeople table with RowID=6 will have the following URI:

    root/People/6?session_signature=0000004C000F6DD02E24541C

I tried the following:

    1. authenticate as userA, send a request which shows sensitive content. Save session_signature=A value.
    2. perform the logout
    3. login again as userA in order to have a new session_signature=B which shoud invalidate the first one
    4. logout and send again the request with the session_signature=A
    5. the old session_signature value worked.

Is this the default behavior of mORMot or is a misconfiguration? Should I consider it a session management misconfiguration since the value of session_signature is not invalidated?