Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3938

JSESSIONID should be assigned after a user has been successfully authenticated

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Non-Essential
    • Resolution: Fixed
    • Affects Version/s: OpenMRS 1.8.4, OpenMRS 1.9.3
    • Fix Version/s: Platform 2.0.0
    • Component/s: None
    • Complexity:
      Low

      Description

      This issues was discovered by Timothy D. Morgan during the FLOSSHack event.

      Currently, the jsessionid is assigned before login, after the user is authenticated the application continues to use it as the session cookie, this is bad because it exposes a vulnerability in the system.

      Proposed Solution:
      After the user has successfully authenticated, a new session cookie should always be assigned.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                harsha89 Harsha Kumara
                Reporter:
                wyclif Wyclif Luyima
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - 4 hours
                    4h
                    Remaining:
                    Time Spent - 3 hours Remaining Estimate - 1 hour
                    1h
                    Logged:
                    Time Spent - 3 hours Remaining Estimate - 1 hour
                    3h