Unique SESSION information at the application level

Project:RUetd
Version:2.1.0
Component:Code
Category:bug report
Priority:critical
Assigned:chadmills
Status:closed
Description

Right now SESSION information is sharable amongst different application installations, ie logging into the workshop instance and changing the URL to the production instance the user is fully logged in. Add unique key per for an application and build in checks for it.

Comments

#1

Priority:normal» critical

This allows anyone who is using the Workshop to (inadvertently or purposefully, once they discover it) gain access to the production list of submissions of a graduate school. I am able to replicate this in both Firefox and IE, such that I have the entire list of submitted ETDs from GS-NB. This is a serious security breach of one of our most valuable assets.

#2

Assigned to:Anonymous» chadmills
Status:active» fixed

Added a variable, $GLOBALS['APP_INSTANCE_KEY'] , that houses a unique key entry in the library/config.php file. When a user logs into one of the application instances this key is stored in the $_SESSION variable scope. A function called checkUser() is called at the head of all scripts that will validate the key in the configuration file against the one stored in the $_SESSION variable scope. If a mismatch occurs, the SESSION information is scrubbed and the user is sent to the login screen of the instance they are currently at.

Implemented in production, workshop, test and development. Please test by logging into one of the instances and then changing the URL to another, should should be sent to a login screen.

#3

Status:fixed» closed

Tested and verified fixed.
Closed.

Back to top