sessions being duplicated?

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

sessions being duplicated?

andy knasinski
Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with Apache and am having session issues - session id's are being reused across different site users thus munging up some data. I don't see anything in release notes that would explain this oddity.
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

stevepiercy
Do you use session IDs in the URL?  Users can copy and paste the
URL in email or messaging, thus granting other users access to it.

--steve


On 3/11/14 at 4:21 PM, [hidden email] (Andy Knasinski) pronounced:

>Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with
>Apache and am having session issues - session id's are being
>reused across different site users thus munging up some data. I
>don't see anything in release notes that would explain this oddity.
>#############################################################
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- --
Steve Piercy               Web Site Builder              
Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

James Harvard
Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3. The good news is that after a certain amount of blood, sweat and tears last month, I can at least now tell you what the problem is :-)

You're right - there has been an (AFAIK) undocumented change in how expired sessions are handled. You can see the code for session_start() via the following path in your Lasso installation's 'Documentation' directory:
Documentation/3 - Language Guide/LassoApps/Startup/sessiontrackerinit.lasso

Also I've tried uploading both the 8.6.0 and 8.6.3 versions to this site http://diffboard.com/snippets/iALiHfba/versions/2 which displays a 'diff' comparison of the two. (I'm not overwhelmed by difboard.com - anyone know know a better one for publicly posting diffs?)

Previously Lasso issued a new session ID if an attempt was made to load an expired session. However, in 8.6.3  the expired session ID is reused (see line 224 in sessiontrackerinit.lasso). I don't know if this was a deliberate change by Lassosoft, but know I know someone else has had problems I suppose I should take this explanation and whack in a bug report :-/

My problem was with some old code that uses link-based session IDs. We knew that some session IDs had got erroneously hard-coded into links by users (and thence into search engine indexes too), but it hadn't been a serious problem in the past. Suddenly, after 8.6.3 there was considerable chaos with users getting sessions mixed up with one another. It seems users were hitting the site via URLs that included a session ID, and where previously they would at worst have just started a new session, each with a different session ID, now the first user would 'resurrect' the session ID and subsequent users would find they were hitting a live session.

(Actually many of the reports came in as "I keep on getting logged out", which I guess was user A and user B not realising they're sharing the same session, then user B logs out and user A gets a 'you're no longer logged in' error message on their next page request.)

If it helps, here's my new code that fixes the problem by calling session_end (to prevent the session ID being added to links on the page), and redirects to the same URL without the session ID (to try and kill off the session IDs currently lurking in search engine indices).

<?lassoscript
session_start( -name='user', -expires=(60*4), -uselink );
if( session_result == 'expire' );
        session_end( -name='user' );
        // redirect to non-session URL
        var('new_url') = ('http://' + server_name + response_filepath);
        $new_url += '?';
        iterate( client_getargs->split('&'), var('i') );
                ! $i->beginswith('-session=user:') ? $new_url += ($i + '&');
        /iterate;
        $new_url->removetrailing('&')&removetrailing('?');
        redirect_url( $new_url, -type='301' );
/if;
?>

HTH,
James

On 11 Mar 2014, at 22:11, Steve Piercy - Web Site Builder wrote:

> Do you use session IDs in the URL?  Users can copy and paste the URL in email or messaging, thus granting other users access to it.
>
> --steve
>
>
> On 3/11/14 at 4:21 PM, [hidden email] (Andy Knasinski) pronounced:
>
>> Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with Apache and am having session issues - session id's are being reused across different site users thus munging up some data. I don't see anything in release notes that would explain this oddity.
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy               Web Site Builder               Soquel, CA
> <[hidden email]>                  <http://www.StevePiercy.com/>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Re: sessions being duplicated?

Jordon Davidson
In reply to this post by andy knasinski
Thank you for your message.

Please note that I will be out of the office from:

Wednesday, March 12, 2014, returning Monday, March 17, 2014.

If your matter is urgent and requires immediate response, please contact our Support Team at [hidden email] or 905.836.4442 Ext. 4 for assistance.  Another team member would be happy to assist.

If this message was directed to [hidden email],  another team member will be attending to your request.

Thank you,


Jordon Davidson
Senior Developer
Treefrog Interactive Inc.



#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

James Harvard
On 12 Mar 2014, at 19:45, [hidden email] wrote:

> Thank you for your message.

You're welcome!

> Please note that I will be out of the office from:

Oh, right.

Shouldn't the list software catch and disregard auto-replies?
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

Jonathan Guthrie-3
You'd think so, but it seems that Mailman is not recognizing some autoresponders.
I've manually unsubbed him. for now :)



On Mar 12, 2014, at 3:54 PM, James Harvard <[hidden email]> wrote:

> On 12 Mar 2014, at 19:45, [hidden email] wrote:
>
>> Thank you for your message.
>
> You're welcome!
>
>> Please note that I will be out of the office from:
>
> Oh, right.
>
> Shouldn't the list software catch and disregard auto-replies?

Jono

----------------------------
Jonathan Guthrie
[hidden email]
@iamjono
LassoSoft Inc.
AIM Chatroom: lassochat
IRC/freenode #lasso

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

Jonathan Guthrie-3
In reply to this post by James Harvard
James, can you submit the info as an issue at http://www.lassosoft.com/rhinotrac please?

Make sure you include all relevant info, including any fix or mitigation.

That way it can be properly accounted for, and those that maintain the Lasso 8.6 product can catch it without trawling the list for issues.

Thanks
Jono


On Mar 12, 2014, at 3:45 PM, James Harvard <[hidden email]> wrote:

> Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3. The good news is that after a certain amount of blood, sweat and tears last month, I can at least now tell you what the problem is :-)



----------------------------
Jonathan Guthrie
[hidden email]
@iamjono
LassoSoft Inc.
AIM Chatroom: lassochat
IRC/freenode #lasso

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

Jolle Carlestam-2
In reply to this post by James Harvard
13 mar 2014 kl. 05:54 skrev James Harvard <[hidden email]>:

> On 12 Mar 2014, at 19:45, [hidden email] wrote:
>
>> Thank you for your message.
>
> You're welcome!
>
>> Please note that I will be out of the office from:
>
> Oh, right.
>
> Shouldn't the list software catch and disregard auto-replies?

Jordon works for Treefrog. They are infallible, thus override any automatic filters mail servers could try to impose.

HDB
Jolle
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

stevepiercy
In reply to this post by andy knasinski
Additionally I would recommend blocking bots from starting sessions using Bil's tag.

--steve


James Harvard <[hidden email]> wrote:

>Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3. The good news is that after a certain amount of blood, sweat and tears last month, I can at least now tell you what the problem is :-)
>
>You're right - there has been an (AFAIK) undocumented change in how expired sessions are handled. You can see the code for session_start() via the following path in your Lasso installation's 'Documentation' directory:
>Documentation/3 - Language Guide/LassoApps/Startup/sessiontrackerinit.lasso
>
>Also I've tried uploading both the 8.6.0 and 8.6.3 versions to this site http://diffboard.com/snippets/iALiHfba/versions/2 which displays a 'diff' comparison of the two. (I'm not overwhelmed by difboard.com - anyone know know a better one for publicly posting diffs?)
>
>Previously Lasso issued a new session ID if an attempt was made to load an expired session. However, in 8.6.3  the expired session ID is reused (see line 224 in sessiontrackerinit.lasso). I don't know if this was a deliberate change by Lassosoft, but know I know someone else has had problems I suppose I should take this explanation and whack in a bug report :-/
>
>My problem was with some old code that uses link-based session IDs. We knew that some session IDs had got erroneously hard-coded into links by users (and thence into search engine indexes too), but it hadn't been a serious problem in the past. Suddenly, after 8.6.3 there was considerable chaos with users getting sessions mixed up with one another. It seems users were hitting the site via URLs that included a session ID, and where previously they would at worst have just started a new session, each with a different session ID, now the first user would 'resurrect' the session ID and subsequent users would find they were hitting a live session.
>
>(Actually many of the reports came in as "I keep on getting logged out", which I guess was user A and user B not realising they're sharing the same session, then user B logs out and user A gets a 'you're no longer logged in' error message on their next page request.)
>
>If it helps, here's my new code that fixes the problem by calling session_end (to prevent the session ID being added to links on the page), and redirects to the same URL without the session ID (to try and kill off the session IDs currently lurking in search engine indices).
>
><?lassoscript
>session_start( -name='user', -expires=(60*4), -uselink );
>if( session_result == 'expire' );
> session_end( -name='user' );
> // redirect to non-session URL
> var('new_url') = ('http://' + server_name + response_filepath);
> $new_url += '?';
> iterate( client_getargs->split('&'), var('i') );
> ! $i->beginswith('-session=user:') ? $new_url += ($i + '&');
> /iterate;
> $new_url->removetrailing('&')&removetrailing('?');
> redirect_url( $new_url, -type='301' );
>/if;
>?>
>
>HTH,
>James
>
>On 11 Mar 2014, at 22:11, Steve Piercy - Web Site Builder wrote:
>
>> Do you use session IDs in the URL?  Users can copy and paste the URL in email or messaging, thus granting other users access to it.
>>
>> --steve
>>
>>
>> On 3/11/14 at 4:21 PM, [hidden email] (Andy Knasinski) pronounced:
>>
>>> Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with Apache and am having session issues - session id's are being reused across different site users thus munging up some data. I don't see anything in release notes that would explain this oddity.
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>> Steve Piercy               Web Site Builder               Soquel, CA
>> <[hidden email]>                  <http://www.StevePiercy.com/>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>#############################################################
>This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

James Harvard
In reply to this post by Jonathan Guthrie-3
Quite right - I had intended to submit a report, but hadn't quite got around to it. :-/

For the record (i.e. list archive), this issue is now logged as http://www.lassosoft.com/rhinotrac?id=7731

James

On 12 Mar 2014, at 20:36, Jonathan Guthrie wrote:

> James, can you submit the info as an issue at http://www.lassosoft.com/rhinotrac please?
>
> Make sure you include all relevant info, including any fix or mitigation.
>
> That way it can be properly accounted for, and those that maintain the Lasso 8.6 product can catch it without trawling the list for issues.
>
> Thanks
> Jono
>
>
> On Mar 12, 2014, at 3:45 PM, James Harvard <[hidden email]> wrote:
>
>> Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3. The good news is that after a certain amount of blood, sweat and tears last month, I can at least now tell you what the problem is :-)
>
>
>
> ----------------------------
> Jonathan Guthrie
> [hidden email]
> @iamjono
> LassoSoft Inc.
> AIM Chatroom: lassochat
> IRC/freenode #lasso
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

Bil Corry-3
In reply to this post by James Harvard
It's more than a casual bug, if sessions can be resurrected, then an
attacker can just brute-force guess session IDs with a much higher
likelihood of finding a valid session ID, and any sniffed session IDs can
be replayed at any time.


- Bil


On Wed, Mar 12, 2014 at 8:45 PM, James Harvard <
[hidden email]> wrote:

> Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3.
> The good news is that after a certain amount of blood, sweat and tears last
> month, I can at least now tell you what the problem is :-)
>
> You're right - there has been an (AFAIK) undocumented change in how
> expired sessions are handled. You can see the code for session_start() via
> the following path in your Lasso installation's 'Documentation' directory:
> Documentation/3 - Language Guide/LassoApps/Startup/sessiontrackerinit.lasso
>
> Also I've tried uploading both the 8.6.0 and 8.6.3 versions to this site
> http://diffboard.com/snippets/iALiHfba/versions/2 which displays a 'diff'
> comparison of the two. (I'm not overwhelmed by difboard.com - anyone know
> know a better one for publicly posting diffs?)
>
> Previously Lasso issued a new session ID if an attempt was made to load an
> expired session. However, in 8.6.3  the expired session ID is reused (see
> line 224 in sessiontrackerinit.lasso). I don't know if this was a
> deliberate change by Lassosoft, but know I know someone else has had
> problems I suppose I should take this explanation and whack in a bug report
> :-/
>
> My problem was with some old code that uses link-based session IDs. We
> knew that some session IDs had got erroneously hard-coded into links by
> users (and thence into search engine indexes too), but it hadn't been a
> serious problem in the past. Suddenly, after 8.6.3 there was considerable
> chaos with users getting sessions mixed up with one another. It seems users
> were hitting the site via URLs that included a session ID, and where
> previously they would at worst have just started a new session, each with a
> different session ID, now the first user would 'resurrect' the session ID
> and subsequent users would find they were hitting a live session.
>
> (Actually many of the reports came in as "I keep on getting logged out",
> which I guess was user A and user B not realising they're sharing the same
> session, then user B logs out and user A gets a 'you're no longer logged
> in' error message on their next page request.)
>
> If it helps, here's my new code that fixes the problem by calling
> session_end (to prevent the session ID being added to links on the page),
> and redirects to the same URL without the session ID (to try and kill off
> the session IDs currently lurking in search engine indices).
>
> <?lassoscript
> session_start( -name='user', -expires=(60*4), -uselink );
> if( session_result == 'expire' );
>         session_end( -name='user' );
>         // redirect to non-session URL
>         var('new_url') = ('http://' + server_name + response_filepath);
>         $new_url += '?';
>         iterate( client_getargs->split('&'), var('i') );
>                 ! $i->beginswith('-session=user:') ? $new_url += ($i +
> '&');
>         /iterate;
>         $new_url->removetrailing('&')&removetrailing('?');
>         redirect_url( $new_url, -type='301' );
> /if;
> ?>
>
> HTH,
> James
>
> On 11 Mar 2014, at 22:11, Steve Piercy - Web Site Builder wrote:
>
> > Do you use session IDs in the URL?  Users can copy and paste the URL in
> email or messaging, thus granting other users access to it.
> >
> > --steve
> >
> >
> > On 3/11/14 at 4:21 PM, [hidden email] (Andy Knasinski) pronounced:
> >
> >> Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with Apache and
> am having session issues - session id's are being reused across different
> site users thus munging up some data. I don't see anything in release notes
> that would explain this oddity.
> >> #############################################################
> >> This message is sent to you because you are subscribed to
> >> the mailing list Lasso [hidden email]
> >> Official list archives available at http://www.lassotalk.com
> >> To unsubscribe, E-mail to: <[hidden email]>
> >> Send administrative queries to  <[hidden email]>
> >
> > -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> > Steve Piercy               Web Site Builder               Soquel, CA
> > <[hidden email]>                  <http://www.StevePiercy.com/>
> >
> > #############################################################
> > This message is sent to you because you are subscribed to
> > the mailing list Lasso [hidden email]
> > Official list archives available at http://www.lassotalk.com
> > To unsubscribe, E-mail to: <[hidden email]>
> > Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

Alan Linnenbank
We are running into this as wel.. Thanks for reporting this! We have also had complaints of users getting mixed up data..



On 18 mrt. 2014 wk 12, at 14:40, Bil Corry <[hidden email]> wrote:

> It's more than a casual bug, if sessions can be resurrected, then an
> attacker can just brute-force guess session IDs with a much higher
> likelihood of finding a valid session ID, and any sniffed session IDs can
> be replayed at any time.
>
>
> - Bil
>
>
> On Wed, Mar 12, 2014 at 8:45 PM, James Harvard <
> [hidden email]> wrote:
>
>> Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3.
>> The good news is that after a certain amount of blood, sweat and tears last
>> month, I can at least now tell you what the problem is :-)
>>
>> You're right - there has been an (AFAIK) undocumented change in how
>> expired sessions are handled. You can see the code for session_start() via
>> the following path in your Lasso installation's 'Documentation' directory:
>> Documentation/3 - Language Guide/LassoApps/Startup/sessiontrackerinit.lasso
>>
>> Also I've tried uploading both the 8.6.0 and 8.6.3 versions to this site
>> http://diffboard.com/snippets/iALiHfba/versions/2 which displays a 'diff'
>> comparison of the two. (I'm not overwhelmed by difboard.com - anyone know
>> know a better one for publicly posting diffs?)
>>
>> Previously Lasso issued a new session ID if an attempt was made to load an
>> expired session. However, in 8.6.3  the expired session ID is reused (see
>> line 224 in sessiontrackerinit.lasso). I don't know if this was a
>> deliberate change by Lassosoft, but know I know someone else has had
>> problems I suppose I should take this explanation and whack in a bug report
>> :-/
>>
>> My problem was with some old code that uses link-based session IDs. We
>> knew that some session IDs had got erroneously hard-coded into links by
>> users (and thence into search engine indexes too), but it hadn't been a
>> serious problem in the past. Suddenly, after 8.6.3 there was considerable
>> chaos with users getting sessions mixed up with one another. It seems users
>> were hitting the site via URLs that included a session ID, and where
>> previously they would at worst have just started a new session, each with a
>> different session ID, now the first user would 'resurrect' the session ID
>> and subsequent users would find they were hitting a live session.
>>
>> (Actually many of the reports came in as "I keep on getting logged out",
>> which I guess was user A and user B not realising they're sharing the same
>> session, then user B logs out and user A gets a 'you're no longer logged
>> in' error message on their next page request.)
>>
>> If it helps, here's my new code that fixes the problem by calling
>> session_end (to prevent the session ID being added to links on the page),
>> and redirects to the same URL without the session ID (to try and kill off
>> the session IDs currently lurking in search engine indices).
>>
>> <?lassoscript
>> session_start( -name='user', -expires=(60*4), -uselink );
>> if( session_result == 'expire' );
>>        session_end( -name='user' );
>>        // redirect to non-session URL
>>        var('new_url') = ('http://' + server_name + response_filepath);
>>        $new_url += '?';
>>        iterate( client_getargs->split('&'), var('i') );
>>                ! $i->beginswith('-session=user:') ? $new_url += ($i +
>> '&');
>>        /iterate;
>>        $new_url->removetrailing('&')&removetrailing('?');
>>        redirect_url( $new_url, -type='301' );
>> /if;
>> ?>
>>
>> HTH,
>> James
>>
>> On 11 Mar 2014, at 22:11, Steve Piercy - Web Site Builder wrote:
>>
>>> Do you use session IDs in the URL?  Users can copy and paste the URL in
>> email or messaging, thus granting other users access to it.
>>>
>>> --steve
>>>
>>>
>>> On 3/11/14 at 4:21 PM, [hidden email] (Andy Knasinski) pronounced:
>>>
>>>> Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with Apache and
>> am having session issues - session id's are being reused across different
>> site users thus munging up some data. I don't see anything in release notes
>> that would explain this oddity.
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>>> Steve Piercy               Web Site Builder               Soquel, CA
>>> <[hidden email]>                  <http://www.StevePiercy.com/>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

James Harvard
In reply to this post by Bil Corry-3
Ah, perhaps I shouldn't have said 'resurrected' - it gives the wrong impression rather. What I meant was that a new session is created in the database with the old session ID, so no session variables are carried across between the old and new sessions.

I might be wrong, but AFAIK this is only a problem when different people arrive at the site or log in via a link / form with the same session ID. In one case I saw this was that people had erroneously coded a session ID into the log-in form, in another it was people clicking through to a site via a Google result that had a session ID.

James

On 18 Mar 2014, at 13:40, Bil Corry wrote:

> It's more than a casual bug, if sessions can be resurrected, then an
> attacker can just brute-force guess session IDs with a much higher
> likelihood of finding a valid session ID, and any sniffed session IDs can
> be replayed at any time.
>
>
> - Bil
>
>
> On Wed, Mar 12, 2014 at 8:45 PM, James Harvard <
> [hidden email]> wrote:
>
>> Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3.
>> The good news is that after a certain amount of blood, sweat and tears last
>> month, I can at least now tell you what the problem is :-)
>>
>> You're right - there has been an (AFAIK) undocumented change in how
>> expired sessions are handled. You can see the code for session_start() via
>> the following path in your Lasso installation's 'Documentation' directory:
>> Documentation/3 - Language Guide/LassoApps/Startup/sessiontrackerinit.lasso
>>
>> Also I've tried uploading both the 8.6.0 and 8.6.3 versions to this site
>> http://diffboard.com/snippets/iALiHfba/versions/2 which displays a 'diff'
>> comparison of the two. (I'm not overwhelmed by difboard.com - anyone know
>> know a better one for publicly posting diffs?)
>>
>> Previously Lasso issued a new session ID if an attempt was made to load an
>> expired session. However, in 8.6.3  the expired session ID is reused (see
>> line 224 in sessiontrackerinit.lasso). I don't know if this was a
>> deliberate change by Lassosoft, but know I know someone else has had
>> problems I suppose I should take this explanation and whack in a bug report
>> :-/
>>
>> My problem was with some old code that uses link-based session IDs. We
>> knew that some session IDs had got erroneously hard-coded into links by
>> users (and thence into search engine indexes too), but it hadn't been a
>> serious problem in the past. Suddenly, after 8.6.3 there was considerable
>> chaos with users getting sessions mixed up with one another. It seems users
>> were hitting the site via URLs that included a session ID, and where
>> previously they would at worst have just started a new session, each with a
>> different session ID, now the first user would 'resurrect' the session ID
>> and subsequent users would find they were hitting a live session.
>>
>> (Actually many of the reports came in as "I keep on getting logged out",
>> which I guess was user A and user B not realising they're sharing the same
>> session, then user B logs out and user A gets a 'you're no longer logged
>> in' error message on their next page request.)
>>
>> If it helps, here's my new code that fixes the problem by calling
>> session_end (to prevent the session ID being added to links on the page),
>> and redirects to the same URL without the session ID (to try and kill off
>> the session IDs currently lurking in search engine indices).
>>
>> <?lassoscript
>> session_start( -name='user', -expires=(60*4), -uselink );
>> if( session_result == 'expire' );
>>        session_end( -name='user' );
>>        // redirect to non-session URL
>>        var('new_url') = ('http://' + server_name + response_filepath);
>>        $new_url += '?';
>>        iterate( client_getargs->split('&'), var('i') );
>>                ! $i->beginswith('-session=user:') ? $new_url += ($i +
>> '&');
>>        /iterate;
>>        $new_url->removetrailing('&')&removetrailing('?');
>>        redirect_url( $new_url, -type='301' );
>> /if;
>> ?>
>>
>> HTH,
>> James
>>
>> On 11 Mar 2014, at 22:11, Steve Piercy - Web Site Builder wrote:
>>
>>> Do you use session IDs in the URL?  Users can copy and paste the URL in
>> email or messaging, thus granting other users access to it.
>>>
>>> --steve
>>>
>>>
>>> On 3/11/14 at 4:21 PM, [hidden email] (Andy Knasinski) pronounced:
>>>
>>>> Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with Apache and
>> am having session issues - session id's are being reused across different
>> site users thus munging up some data. I don't see anything in release notes
>> that would explain this oddity.
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>>> Steve Piercy               Web Site Builder               Soquel, CA
>>> <[hidden email]>                  <http://www.StevePiercy.com/>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

Bil Corry-3
Thanks James for the clarification.  It's a session fixation vulnerability
instead.


- Bil


On Tue, Mar 18, 2014 at 3:20 PM, James Harvard <
[hidden email]> wrote:

> Ah, perhaps I shouldn't have said 'resurrected' - it gives the wrong
> impression rather. What I meant was that a new session is created in the
> database with the old session ID, so no session variables are carried
> across between the old and new sessions.
>
> I might be wrong, but AFAIK this is only a problem when different people
> arrive at the site or log in via a link / form with the same session ID. In
> one case I saw this was that people had erroneously coded a session ID into
> the log-in form, in another it was people clicking through to a site via a
> Google result that had a session ID.
>
> James
>
> On 18 Mar 2014, at 13:40, Bil Corry wrote:
>
> > It's more than a casual bug, if sessions can be resurrected, then an
> > attacker can just brute-force guess session IDs with a much higher
> > likelihood of finding a valid session ID, and any sniffed session IDs can
> > be replayed at any time.
> >
> >
> > - Bil
> >
> >
> > On Wed, Mar 12, 2014 at 8:45 PM, James Harvard <
> > [hidden email]> wrote:
> >
> >> Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3.
> >> The good news is that after a certain amount of blood, sweat and tears
> last
> >> month, I can at least now tell you what the problem is :-)
> >>
> >> You're right - there has been an (AFAIK) undocumented change in how
> >> expired sessions are handled. You can see the code for session_start()
> via
> >> the following path in your Lasso installation's 'Documentation'
> directory:
> >> Documentation/3 - Language
> Guide/LassoApps/Startup/sessiontrackerinit.lasso
> >>
> >> Also I've tried uploading both the 8.6.0 and 8.6.3 versions to this site
> >> http://diffboard.com/snippets/iALiHfba/versions/2 which displays a
> 'diff'
> >> comparison of the two. (I'm not overwhelmed by difboard.com - anyone
> know
> >> know a better one for publicly posting diffs?)
> >>
> >> Previously Lasso issued a new session ID if an attempt was made to load
> an
> >> expired session. However, in 8.6.3  the expired session ID is reused
> (see
> >> line 224 in sessiontrackerinit.lasso). I don't know if this was a
> >> deliberate change by Lassosoft, but know I know someone else has had
> >> problems I suppose I should take this explanation and whack in a bug
> report
> >> :-/
> >>
> >> My problem was with some old code that uses link-based session IDs. We
> >> knew that some session IDs had got erroneously hard-coded into links by
> >> users (and thence into search engine indexes too), but it hadn't been a
> >> serious problem in the past. Suddenly, after 8.6.3 there was
> considerable
> >> chaos with users getting sessions mixed up with one another. It seems
> users
> >> were hitting the site via URLs that included a session ID, and where
> >> previously they would at worst have just started a new session, each
> with a
> >> different session ID, now the first user would 'resurrect' the session
> ID
> >> and subsequent users would find they were hitting a live session.
> >>
> >> (Actually many of the reports came in as "I keep on getting logged out",
> >> which I guess was user A and user B not realising they're sharing the
> same
> >> session, then user B logs out and user A gets a 'you're no longer logged
> >> in' error message on their next page request.)
> >>
> >> If it helps, here's my new code that fixes the problem by calling
> >> session_end (to prevent the session ID being added to links on the
> page),
> >> and redirects to the same URL without the session ID (to try and kill
> off
> >> the session IDs currently lurking in search engine indices).
> >>
> >> <?lassoscript
> >> session_start( -name='user', -expires=(60*4), -uselink );
> >> if( session_result == 'expire' );
> >>        session_end( -name='user' );
> >>        // redirect to non-session URL
> >>        var('new_url') = ('http://' + server_name + response_filepath);
> >>        $new_url += '?';
> >>        iterate( client_getargs->split('&'), var('i') );
> >>                ! $i->beginswith('-session=user:') ? $new_url += ($i +
> >> '&');
> >>        /iterate;
> >>        $new_url->removetrailing('&')&removetrailing('?');
> >>        redirect_url( $new_url, -type='301' );
> >> /if;
> >> ?>
> >>
> >> HTH,
> >> James
> >>
> >> On 11 Mar 2014, at 22:11, Steve Piercy - Web Site Builder wrote:
> >>
> >>> Do you use session IDs in the URL?  Users can copy and paste the URL in
> >> email or messaging, thus granting other users access to it.
> >>>
> >>> --steve
> >>>
> >>>
> >>> On 3/11/14 at 4:21 PM, [hidden email] (Andy Knasinski) pronounced:
> >>>
> >>>> Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with Apache and
> >> am having session issues - session id's are being reused across
> different
> >> site users thus munging up some data. I don't see anything in release
> notes
> >> that would explain this oddity.
> >>>> #############################################################
> >>>> This message is sent to you because you are subscribed to
> >>>> the mailing list Lasso [hidden email]
> >>>> Official list archives available at http://www.lassotalk.com
> >>>> To unsubscribe, E-mail to: <[hidden email]>
> >>>> Send administrative queries to  <[hidden email]>
> >>>
> >>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> >>> Steve Piercy               Web Site Builder               Soquel, CA
> >>> <[hidden email]>                  <http://www.StevePiercy.com/>
> >>>
> >>> #############################################################
> >>> This message is sent to you because you are subscribed to
> >>> the mailing list Lasso [hidden email]
> >>> Official list archives available at http://www.lassotalk.com
> >>> To unsubscribe, E-mail to: <[hidden email]>
> >>> Send administrative queries to  <[hidden email]>
> >>
> >> #############################################################
> >> This message is sent to you because you are subscribed to
> >>  the mailing list Lasso [hidden email]
> >> Official list archives available at http://www.lassotalk.com
> >> To unsubscribe, E-mail to: <[hidden email]>
> >> Send administrative queries to  <[hidden email]>
> >>
> > #############################################################
> > This message is sent to you because you are subscribed to
> >  the mailing list Lasso [hidden email]
> > Official list archives available at http://www.lassotalk.com
> > To unsubscribe, E-mail to: <[hidden email]>
> > Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

James Harvard
Not a term I was familiar with, so for the benefit of anyone else wondering:
https://www.owasp.org/index.php/Session_fixation
http://en.wikipedia.org/wiki/Session_fixation


On 18 Mar 2014, at 16:44, Bil Corry wrote:

> Thanks James for the clarification.  It's a session fixation vulnerability
> instead.
>
>
> - Bil
>
>
> On Tue, Mar 18, 2014 at 3:20 PM, James Harvard <
> [hidden email]> wrote:
>
>> Ah, perhaps I shouldn't have said 'resurrected' - it gives the wrong
>> impression rather. What I meant was that a new session is created in the
>> database with the old session ID, so no session variables are carried
>> across between the old and new sessions.
>>
>> I might be wrong, but AFAIK this is only a problem when different people
>> arrive at the site or log in via a link / form with the same session ID. In
>> one case I saw this was that people had erroneously coded a session ID into
>> the log-in form, in another it was people clicking through to a site via a
>> Google result that had a session ID.
>>
>> James
>>
>> On 18 Mar 2014, at 13:40, Bil Corry wrote:
>>
>>> It's more than a casual bug, if sessions can be resurrected, then an
>>> attacker can just brute-force guess session IDs with a much higher
>>> likelihood of finding a valid session ID, and any sniffed session IDs can
>>> be replayed at any time.
>>>
>>>
>>> - Bil

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

Kyle Jessup-2
In reply to this post by James Harvard

On Mar 12, 2014, at 3:45 PM, James Harvard <[hidden email]> wrote:

> If it helps, here's my new code that fixes the problem by calling session_end (to prevent the session ID being added to links on the page), and redirects to the same URL without the session ID (to try and kill off the session IDs currently lurking in search engine indices).

Hi James, what was your old code?
-Kyle

> <?lassoscript
> session_start( -name='user', -expires=(60*4), -uselink );
> if( session_result == 'expire' );
> session_end( -name='user' );
> // redirect to non-session URL
> var('new_url') = ('http://' + server_name + response_filepath);
> $new_url += '?';
> iterate( client_getargs->split('&'), var('i') );
> ! $i->beginswith('-session=user:') ? $new_url += ($i + '&');
> /iterate;
> $new_url->removetrailing('&')&removetrailing('?');
> redirect_url( $new_url, -type='301' );
> /if;
> ?>
>
> HTH,
> James

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: sessions being duplicated?

James Harvard
Pseudo-ish code:

if( session_id() != '' || cookie('session_cookie_name') != '' || $login_in_progress );
        session_start( -name='user', -expires=(60*4), -uselink );
/if;

That conditional still surrounds my session code, now updated as below.

When I first started working on this code it was running session_start for every page request, so I wrapped it in a conditional to try and avoid starting sessions for requests that don't need them (basically search engine crawlers and not-logged-in users).

HTH,
James

On 20 Mar 2014, at 14:52, Kyle Jessup wrote:

>
> On Mar 12, 2014, at 3:45 PM, James Harvard <[hidden email]> wrote:
>
>> If it helps, here's my new code that fixes the problem by calling session_end (to prevent the session ID being added to links on the page), and redirects to the same URL without the session ID (to try and kill off the session IDs currently lurking in search engine indices).
>
> Hi James, what was your old code?
> -Kyle
>
>> <?lassoscript
>> session_start( -name='user', -expires=(60*4), -uselink );
>> if( session_result == 'expire' );
>> session_end( -name='user' );
>> // redirect to non-session URL
>> var('new_url') = ('http://' + server_name + response_filepath);
>> $new_url += '?';
>> iterate( client_getargs->split('&'), var('i') );
>> ! $i->beginswith('-session=user:') ? $new_url += ($i + '&');
>> /iterate;
>> $new_url->removetrailing('&')&removetrailing('?');
>> redirect_url( $new_url, -type='301' );
>> /if;
>> ?>
>>
>> HTH,
>> James
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>