Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 331
    • Issues 331
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 11
    • Merge requests 11
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2350

Closed
Open
Created Oct 12, 2020 by Maxime Besson@maxbes🔧Maintainer

[security:low] Hiding session ids from the manager

Environment

LemonLDAP::NG version: 2.0.9

Summary

During a security audit for one of our users, the auditors were surprised to see that SSO session ids are easily accessible to manager users (in the session browser). Those IDs allow spoofing of the target user, simply by setting the lemonldap cookie.

Solutions

Hiding the session ID from session details is not enough because browser initiated AJAX calls use the session ID as a key.

The simplest aproach might be to encrypt session identifiers with the config crypto secret before returning them in AJAX queries. This way the manager would only handle encrypted values, not knowing the actual session ID behind it. The manager REST endpoints would decrypt the session id before searching it in session backend. I'll try working on a prototype

@guimard what do you think of this approach?

Edited Oct 14, 2020 by Christophe Maudoux
Assignee
Assign to
Time tracking