Session cookies in WLUS (was: test case 009 add one user)

To: Morten Arnesen <mort1arn@online.no>
Cc: debian-edu@lists.debian.org
Subject: Session cookies in WLUS (was: test case 009 add one user)
From: Andreas Schuldei <andreas@schuldei.org>
Date: Sat, 10 Apr 2004 18:03:29 +0200
Message-id: <[🔎] 20040410160329.GA3708@lukas.schuldei.com>
In-reply-to: <4077FC80.5080000@online.no>
References: <4077FC80.5080000@online.no>

(i moved this discussion to debian-edu@l.d.o, because it has both
english language and is relevant to development. the
norwegians/skandinavians on the user list might not be
interested.)

* Morten Arnesen (mort1arn@online.no) [040410 15:56]:
> i ran a test on case 009 delete one user.
> 
> the test concluded with error, deletion whithout adminpasswd.

the session cookie i issue for saving the state lasts 5 minutes,
just as the default of webmin's cookie which determines if one is
logged in needs to authenticate newly.

session cookies allow for this attack: 

admin logs in and authenticates.  
admin does GoodStuff.  
admin leaves website and place, browser still open.  
EvilGuy comes before webmin`s session cookie expires, hits the
  back button until he comes to the webmin page again and does
  EvilStuff.

The session cookie belongs to the open webbrowser. it has nothing
to do with leaving the webpage or so. we wont get rid of the
webmin session cookie, it is part of webmin. how evil is it to
use a WLUS session cookie for a similar purpose, and allowing for
a similar attack?

Reply to:

Prev by Date: Further discussion on Educational Software
Next by Date: [Bug 696] kpersonalizer doesn't run at first login anymore
Previous by thread: Re: Further discussion on Educational Software
Next by thread: [Bug 696] kpersonalizer doesn't run at first login anymore
Index(es):
- Date
- Thread