When we open the website, a PHP Session ID is setup in the cookies on the browser.
After login (as admin), the Session ID remains the same.
I can use that Session ID to make requests from a tool like Postman as well.
Then after logout, Session ID still remains the same on the browser.
At this point when I make requests from Postman - it is denied - which is good.
Then again login as a user on the same browser, the Session ID is the same still!
Requests from Postman using this Session ID to access admin only Wappler APIs are failed - which is good. Only those APIs work which the user has access to.
Then after logout, the Session ID still remains the same.
The only problem here is that a security firm who audit this web app (services enlisted by client themselves) - has raised this as a High Severity issue with Firm confidence.
And this is the remediation info shared by the sec firm: It should be done using session management features of PHP application server using session_start(), session_regenerate_id() or other appropriate mechanisms.
Can Wappler make changes to reset Session ID at these touch points (security login/security logout perhaps)?
I suspect same issue might apply to Node.JS as well - if yes, request similar changes to reset Session ID there as well please!
Made some small updates to the sessions and security provider which you can test. It should now only generate a session cookie when a session is being set and the security provider should generate a new session each time with login and logout.
Session.zip (Unzip to dmxConnectLib/lib/core) Provider.zip (Unzip to dmxConnectLib/lib/auth)
{“code”:0,“file”:"/html/dmxConnectLib/lib/core/Session.php",“line”:8,“message”:“Use of undefined constant session_name - assumed ‘session_name’ (this will throw an Error in a future version of PHP)”,“trace”:"#0 /html/dmxConnectLib/lib/core/Session.php(8): exception_error_handler(2, ‘Use of undefine…’, ‘/htm…’, 8, Array)\n#1 /html/dmxConnectLib/lib/App.php(38): lib\core\Session->__construct()\n#2 /html/dmxConnect/api/Security/PortalParameters.php(5): lib\App->__construct()\n#3 {main}"}
It should refresh the session id on login and logout.
You can check in dmxConnectLib/lib/auth/Provider.php line 96 the call to $this->app->session->new() which should generate the new session id. The setIdentity method is called on login and logout.
The code for regenerating the session id is in dmxConnectLib/lib/code/Session.php line 36-38.
upon each login the session id does change - have tested this.
but after logout, the session id remains the same in the browser as it was set right after login.
have rechecked that we are indeed doing a security logout in the Wappler API.
also, not sure if this means anything, but on logout i can see that the cookie set here:
is removed for a split second then same session id is added back as the page redirects to the login page after logout api call was success.
Does it work correctly if you do not redirect directly after the logout, so having a small timeout. I have the idea that there is some racing condition happening there, will try to investigate it.
have tried to stop the redirection on logout - in such a case, after the logout api that has security logout step is run, the session on the browser remains the same. it is not deleted nor it changes.
cannot run any API post logout using that session id - so that is good.
but the underlying concern of that session id not being removed or changed is intact - that is not yet fixed.
The tests that I’ve done until now do not show this behavior, after a redirect it also changes. How do you call the logout, do you link to the action file or do you use server connect for it?