Is there a way to change / renew the session cookie once this is created?

Question

Question

Joan Cruz · Apr 24, 2020

Product is Caché
Version is 2018.1

Hi

I'm working in a security issue of the system that says that once you are logged into a session 
and you save this cookie. You can go to another navigator and use this cookie to be registered. 

I would like to chenge this cookie once user is logged into my system but I can't logout and 
login again because all my cookies are removed.

Is there a way to change to cookie or renew it?

Thanks a lot.

Discussion (6)0

Log in or sign up to continue

Bernd Mueller · May 1, 2020

Currently, there is no API to request a new session cookie.

If we wished to implement this in the absence of any real security concern it would need to be scheduled by our product management and as en enhancement.

So far you have not suggested any compelling reason to do this.

Do you have an example of a valid attack against CSP?

Sorry, but I still do not see a general CSP related vulnerability problem here.

Please let us continue in WRC problem you've already opened for this same question recently.

Thanks and kind regards,
Bernd

0 0

score 0 · Answer 1 · 2020-04-24T05:28:40-04:00

Every time you interact with the page your session is extended for session timeout.

If there's no interaction from user after session timeout the session dies and cookie becomes invalid.

You can adjust session timeout parameter in web application settings.

score 0 · Answer 2 · 2020-04-29T08:36:36-04:00

That is right, but as long as the cookie session timeout is valid (let's say 60 seconds) anybody that intercepts that cookie is effectively authenticated as long as the timeout is valid.

Some ideal situation as mentioned by Joan would be to have a cookie that is used since the user accesses the first page until it want's to log in, and then, when the login request is received, invalidate that cookie and sessionID, create a new session identifier and return it.

Isn't there any way of invalidating a sessionID manually and creating a new one?

score 0 · Answer 3 · 2020-04-29T09:50:46-04:00

That is right, but as long as the cookie session timeout is valid (let's say 60 seconds) anybody that intercepts that cookie is effectively authenticated as long as the timeout is valid.

Only as long as they share the same remote address. HTTPS offers additional protection. Really if someone can decode your HTTPS traffic to get the cookie you have a bigger problem.

Isn't there any way of invalidating a sessionID manually and creating a new one?

do %session.Logout()

Ends the session. Next request starts the new session.

score 0 · Answer 4 · 2020-04-29T11:06:49-04:00

do %session.Logout()

Ends the session. Next request starts the new session.

I know that this ends the session, but an approach could be with one client request end it, and return a new one. With this solution you need to wait until the next request to create the new one so you no longer know if the client is authenticated.

The other option as mentioned is to encript trafic and therefore the cookie can no longer be used.

score 0 · Answer 5 · 2020-04-29T13:48:36-04:00

but an approach could be with one client request end it, and return a new one

What for? Ending the session means the client exited. You can add additional user supplied cookie(s) and check/modify/delete them as you wish. On every request even.

The other option as mentioned is to encript trafic and therefore the cookie can no longer be used.

Cookies absolutely can be used with encrypted traffic. HTTP/HTTPS makes no difference for cookies sent by a browser.