View Issue Details

IDProjectCategoryView StatusLast Update
0028974mantisbtsecuritypublic2023-02-15 03:51
Reporterdomosekai Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
Product Version2.25.2 
Summary0028974: Multiple issues in session validation function
Description

The session validation function is an important feature that tracks the IP address of the session. However the current implementation confuses me.

Problem 1: Invalidated session is not logged out
When a session is invalidated, a redirect (via meta refresh) occurs and the user is brought back to the home page. However it does not sign the user out. The user continues to be able to do every thing.

Problem 2: Redirect through meta refresh causes the browser to cache the page
That is to say, the user will still experience the redirect on the same page unless he/she manually refreshes it. However since the redirect is automatically executed in 4 seconds, he/she has to refresh it within the short period of time.

Steps To Reproduce

Verified with this site as well.

  1. Sign in with secure session enabled and permanent login disabled
  2. Browse to a random page
  3. Switch the IP address (with a VPN, for instance)
  4. If the page does not reload, reload manually
  5. A blank page is shown and user is brought back to the home page
  6. The user is still logged in
Additional Information

relevant code
https://github.com/mantisbt/mantisbt/blob/f952508ecb654a8e10091302da7b2ccd936bd0b2/core/session_api.php#L203-L226

TagsNo tags attached.

Relationships

related to 0013035 acknowledged Secure Session Support for Platforms masking client source address but injecting HTTP headers 

Activities

dregad

dregad

2023-02-15 03:48

developer   ~0067392

Just noticed that this problem had already been identified a long time ago, see 0013035:0028861