Public
Authored by Thimo Kraemer

Zope: Unreliable Session Management

Zope comes with a built-in Session Management. The Browser Id Manager identifies a particular browser based on a unique browser id which is then referenced to a session object if needed.

But that browser id can be manipulated what makes session fixation attacks easy.

Assumed someone links to your website with a generally valid session id (eg. www.yourdomain.org?_ZopeId=39671465A4.bnRkCL8w). Zope will trust this id and uses it for further requests. Anyway you should disable the acceptance via forms, query strings and URL.

With the following patch of the BrowserIdManager you eliminate this insecure and annoying behaviour. Just create a new folder under your Product directory and save the file as __init__.py.

After restarting Zope each BrowserIdManager has a random key and the generated session ids are protected by a HMAC hash. Furthermore a session id will be invalidated server-sided if it has been expired. If you have a cookie lifetime of 0 (lifetime of browser), the session id will be invalidated after one day at the latest.

There is also the possibility to regenerate the browser id via REQUEST.SESSION.getBrowserIdManager().newBrowserId(). If you use some authentication method based on sessions (eg. SessionCrumbler) you can create a new session id after login to prevent a session fixation attack.

Edited
bidm_patch.py 4.39 KB
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment