Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3938

JSESSIONID should be assigned after a user has been successfully authenticated

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Non-Essential
    • Resolution: Fixed
    • Affects Version/s: OpenMRS 1.8.4, OpenMRS 1.9.3
    • Fix Version/s: Platform 2.0.0
    • Component/s: None
    • Complexity:
      Low

      Description

      This issues was discovered by Timothy D. Morgan during the FLOSSHack event.

      Currently, the jsessionid is assigned before login, after the user is authenticated the application continues to use it as the session cookie, this is bad because it exposes a vulnerability in the system.

      Proposed Solution:
      After the user has successfully authenticated, a new session cookie should always be assigned.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              harsha89 Harsha Kumara
              Reporter:
              wyclif Wyclif Luyima
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Time Spent - 3 hours Remaining Estimate - 1 hour
                  1h
                  Logged:
                  Time Spent - 3 hours Remaining Estimate - 1 hour
                  3h