session_signature is not invalidated after logout? is this default?

gino · 2021-02-24 07:39:56

I'm testing a website from a security perspective.
On a website which uses mORMot 1.18 every request made by an authenticated user is in this format:

../search_items?session_signature=0000004C000F6DD02E24541C as reported within the framework docs

Here is typical signature to access the root URL

root?session_signature=0000004C000F6BE365D8D454

In this case, 0000004C is the Session ID, 000F6BE3 is the client time stamp (aka nonce), and 65D8D454 is the signature, checked by the following Delphi expression:

(crc32(crc32(fPrivateSaltHash,PTimeStamp,8),pointer(aURL),aURLlength)=aSignature);

For instance, a RESTful GET of the TSQLRecordPeople table with RowID=6 will have the following URI:

root/People/6?session_signature=0000004C000F6DD02E24541C

I tried the following:

1. authenticate as userA, send a request which shows sensitive content. Save session_signature=A value.
2. perform the logout
3. login again as userA in order to have a new session_signature=B which shoud invalidate the first one
4. logout and send again the request with the session_signature=A
5. the old session_signature value worked.

Is this the default behavior of mORMot or is a misconfiguration? Should I consider it a session management misconfiguration since the value of session_signature is not invalidated?

ab · 2021-02-24 08:18:04

How do you make the "LogOut"?

Do you call GET ModelRoot/auth?UserName=...&Session=... to release the session on the server side?
It would call TSQLRestServerAuthentication.AuthSessionRelease and TSQLRestServer.SessionDelete to actually disable the session.

gino · 2021-02-24 08:23:08

I'm testing it with a black box approach (I can't see how the logout is implemented in the backend). What I can say is that the request which is sent after I click on the logout button is the following

website/auth?Session=X&UserName=Y&session_signature=Z

Is possible that they forget to call .AuthSessionRelease and .SessionDelete? Or is this behaviour a default behaviour?

I mean I think I shouldn't be able to reuse an old session_signature value.

Last edited by gino (2021-02-24 08:23:50)

ab · 2021-02-24 08:26:48

The session should be deleted.

Please debug on the server side a bit more and report anything unexpected.
For instance, "Deleted session" should appear on the server logs.

htits2008 · 2022-09-28 07:51:32

I have same sample. I think that javascript client can't login out. and It shall down by time out only.
<code>
20220928 14503721 call mormot.rest.sqlite3.TRestServerDB(0a049570) Auth UserName=xxx&Session=733137&session_signature=000b2fd10082dc93c261c1d9
20220928 14503721 debug mormot.rest.sqlite3.TRestServerDB(0a049570) TRestServerRoutingRest.Error: { "errorCode":400, "errorText":"Bad Request" }
</code>

ab · 2022-09-28 07:56:56

Please debug a bit more, i.e. run the server in the debugger and find out what occurs, and what could be fixed.

IIRC some weeks ago, I made some fixes to the session logout endpoint.
TRestServerAuthentication.AuthSessionRelease should properly log out and delete the session.

htits2008 · 2022-09-28 07:57:23

I am working on M2.0.3780 , FPC

ab · 2022-09-28 07:59:46

Clearly outdated.

htits2008 · 2022-09-28 08:58:59

I down the new release mORMot 2.0.4099 . and it is ok! thanks !

mORMot Open Source

#1 2021-02-24 07:39:56

session_signature is not invalidated after logout? is this default?

#2 2021-02-24 08:18:04

Re: session_signature is not invalidated after logout? is this default?

#3 2021-02-24 08:23:08

Re: session_signature is not invalidated after logout? is this default?

#4 2021-02-24 08:26:48

Re: session_signature is not invalidated after logout? is this default?

#5 2022-09-28 07:51:32

Re: session_signature is not invalidated after logout? is this default?

#6 2022-09-28 07:56:56

Re: session_signature is not invalidated after logout? is this default?

#7 2022-09-28 07:57:23

Re: session_signature is not invalidated after logout? is this default?

#8 2022-09-28 07:59:46

Re: session_signature is not invalidated after logout? is this default?

#9 2022-09-28 08:58:59

Re: session_signature is not invalidated after logout? is this default?

Board footer