Issues
- Hash session identifiers to avoid compromised database lookups of all session identifiersLCE-41
- RBAC SupportLCE-40Brad Wood
- Update the SDK for couchbaseLCE-39Brad Wood
- Revise build process so it matches the new extensions types
LCE-38Luis Majano - Compat with LUcee 5.29> for default valuesLCE-37Brad Wood
- Remove the lucee 4 branchesLCE-36Brad Wood
- Update documentation for Lucee 5 versionLCE-35Resolved issue: LCE-35Brad Wood
- Fix Logging for Lucee 5LCE-34Resolved issue: LCE-34Brad Wood
- Create log4j logger that proxies to the Lucee logging mechanismLCE-32Resolved issue: LCE-32Brad Wood
- Implement finalizers to shutdown clientLCE-31Resolved issue: LCE-31Brad Wood
- Add support for license.properties fileLCE-30Resolved issue: LCE-30Brad Wood
- Add menu to Lucee admin to collect/process activationLCE-29Resolved issue: LCE-29Brad Wood
- Update jars to latest and convert all internal callsLCE-28Resolved issue: LCE-28Brad Wood
- Convert build to generate Lucee 5-compatible extensionLCE-27Resolved issue: LCE-27Brad Wood
- Add support for Lucee 5.xLCE-26Resolved issue: LCE-26Brad Wood
- When installed at server level, web admins fail on cache licensingLCE-25Resolved issue: LCE-25Luis Majano
- Update docs to new wikitext module and cb4LCE-24Resolved issue: LCE-24Luis Majano
- Create automated test suiteLCE-23Resolved issue: LCE-23Luis Majano
- Migrate tests to TestBox BDD tests.LCE-22Resolved issue: LCE-22Brad Wood
- Remove old extension libs when doing updatesLCE-21Resolved issue: LCE-21
- Staleness of view querying is set to allow for stale data, update so it can auto-index before queryingLCE-20Resolved issue: LCE-20Luis Majano
- Lucee SupportLCE-19Resolved issue: LCE-19
- When updating extension, re-activation is needed, this is annoyingLCE-18Resolved issue: LCE-18Luis Majano
- Java code optimizationsLCE-17Resolved issue: LCE-17Luis Majano
- Automation via JenkinsLCE-16Resolved issue: LCE-16Luis Majano
- High-ASCII characters aren't retrieved properly when storing non-JSONLCE-15Resolved issue: LCE-15Brad Wood
- Getting class loader from pageContext doesn't work if pc is nullLCE-14
- Non-helpful error is thrown when activating license for order that is not found.LCE-13
- Update to latest Java librariesLCE-12Resolved issue: LCE-12
- Timeouts over 30 days don't work.LCE-11Resolved issue: LCE-11Brad Wood
- Include the CFCouchbase SDK into the projectLCE-10
- Remove all nosql features from extensionLCE-9
- Calling client throws errorLCE-8Resolved issue: LCE-8Luis Majano
- Class casting errors due to Railo class loadersLCE-7Resolved issue: LCE-7Luis Majano
- Update to latest Couchbase SDK v1.2LCE-6Resolved issue: LCE-6Luis Majano
- Add copyright noticesLCE-5Resolved issue: LCE-5Luis Majano
- Set optional timeout on a per-cache levelLCE-4
- Add method to execute named view in Couchbase storeLCE-3Resolved issue: LCE-3Brad Wood
- Add method to return Couchbase clientLCE-2Resolved issue: LCE-2Brad Wood
- Don't encode simple valuesLCE-1Resolved issue: LCE-1Brad Wood
40 of 40
Hash session identifiers to avoid compromised database lookups of all session identifiers
Description
Pinned fields
Click on the next to a field label to start pinning.
Details
Assignee
UnassignedUnassignedReporter
Pete FreitagPete FreitagComponents
Priority
Major
Details
Details
Assignee
Unassigned
UnassignedReporter
Pete Freitag
Pete Freitag
Components
Priority
MajorSentry
Sentry
Sentry
Created November 22, 2019 at 3:17 PM
Updated November 22, 2019 at 6:17 PM
Activity
Show:
Brad WoodNovember 22, 2019 at 6:17 PM
Lucee controls this ID, not our cache extension. Unless you propose a secret ninja hash in our provider. That may give you issues elsewhere if Lucee pulls a list of IDs to look at.
I was chatting with Matt Clemente about the storing sessions in Redis with your extension. Though I haven't used it yet personally, I do have a client that is interested in using Redis for sessions. One reservation I have about using an external cache or database for sessions is that if the database is compromised, and an attacker can enumerate all the session ids.
Matt mentioned that the session key might look like this:
In the above example eb313447-3e2b-4c28-87fa-18f285743360 is the session identifier (CFID, JSESSIONID).
My Suggestion:
A better way to do this from a security perspective would be to hash the session identifier treating it just like a password. You would still be able to take a session ID from the request and look up the appropriate session, however you would not be able to enumerate the session identifiers and hijack a session.
Let me know what you think or if you have any questions.