#1 2021-02-24 07:39:56

gino
Member
Registered: 2021-02-24
Posts: 2

session_signature is not invalidated after logout? is this default?

I'm testing a website from a security perspective.
On a website which uses mORMot 1.18 every request made by an authenticated user is in this format:

../search_items?session_signature=0000004C000F6DD02E24541C as reported within the framework docs

    Here is typical signature to access the root URL

    root?session_signature=0000004C000F6BE365D8D454

    In this case, 0000004C is the Session ID, 000F6BE3 is the client time stamp (aka nonce), and 65D8D454 is the signature, checked by the following Delphi expression:

    (crc32(crc32(fPrivateSaltHash,PTimeStamp,8),pointer(aURL),aURLlength)=aSignature);

    For instance, a RESTful GET of the TSQLRecordPeople table with RowID=6 will have the following URI:

    root/People/6?session_signature=0000004C000F6DD02E24541C

I tried the following:

    1. authenticate as userA, send a request which shows sensitive content. Save session_signature=A value.
    2. perform the logout
    3. login again as userA in order to have a new session_signature=B which shoud invalidate the first one
    4. logout and send again the request with the session_signature=A
    5. the old session_signature value worked.

Is this the default behavior of mORMot or is a misconfiguration? Should I consider it a session management misconfiguration since the value of session_signature is not invalidated?

Offline

#2 2021-02-24 08:18:04

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: session_signature is not invalidated after logout? is this default?

How do you make the "LogOut"?

Do you call GET ModelRoot/auth?UserName=...&Session=... to release the session on the server side?
It would call TSQLRestServerAuthentication.AuthSessionRelease and TSQLRestServer.SessionDelete to actually disable the session.

Offline

#3 2021-02-24 08:23:08

gino
Member
Registered: 2021-02-24
Posts: 2

Re: session_signature is not invalidated after logout? is this default?

I'm testing it with a black box approach (I can't see how the logout is implemented in the backend). What I can say is that the request which is sent after I click on the logout button is the following

website/auth?Session=X&UserName=Y&session_signature=Z

Is possible that they forget to call .AuthSessionRelease and .SessionDelete? Or is this behaviour a default behaviour?

I mean I think I shouldn't be able to reuse an old session_signature value.

Last edited by gino (2021-02-24 08:23:50)

Offline

#4 2021-02-24 08:26:48

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: session_signature is not invalidated after logout? is this default?

The session should be deleted.

Please debug on the server side a bit more and report anything unexpected.
For instance, "Deleted session" should appear on the server logs.

Offline

#5 2022-09-28 07:51:32

htits2008
Member
Registered: 2015-03-25
Posts: 34

Re: session_signature is not invalidated after logout? is this default?

I have same sample. I think that javascript client can't login out. and It shall down by time out only.
<code>
20220928 14503721 call      mormot.rest.sqlite3.TRestServerDB(0a049570) Auth UserName=xxx&Session=733137&session_signature=000b2fd10082dc93c261c1d9
20220928 14503721 debug     mormot.rest.sqlite3.TRestServerDB(0a049570) TRestServerRoutingRest.Error: {  "errorCode":400,  "errorText":"Bad Request"  }
</code>

Offline

#6 2022-09-28 07:56:56

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: session_signature is not invalidated after logout? is this default?

Please debug a bit more, i.e. run the server in the debugger and find out what occurs, and what could be fixed.

IIRC some weeks ago, I made some fixes to the session logout endpoint.
TRestServerAuthentication.AuthSessionRelease should properly log out and delete the session.

Offline

#7 2022-09-28 07:57:23

htits2008
Member
Registered: 2015-03-25
Posts: 34

Re: session_signature is not invalidated after logout? is this default?

I am working on M2.0.3780 , FPC

Offline

#8 2022-09-28 07:59:46

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: session_signature is not invalidated after logout? is this default?

Clearly outdated.

Offline

#9 2022-09-28 08:58:59

htits2008
Member
Registered: 2015-03-25
Posts: 34

Re: session_signature is not invalidated after logout? is this default?

I down the new release mORMot 2.0.4099 . and it is ok! thanks !

Offline

Board footer

Powered by FluxBB