[security:low] Hiding session ids from the manager
Environment
LemonLDAP::NG version: 2.0.9
Summary
During a security audit for one of our users, the auditors were surprised to see that SSO session ids are easily accessible to manager users (in the session browser). Those IDs allow spoofing of the target user, simply by setting the lemonldap cookie.
Solutions
Hiding the session ID from session details is not enough because browser initiated AJAX calls use the session ID as a key.
The simplest aproach might be to encrypt session identifiers with the config crypto secret before returning them in AJAX queries. This way the manager would only handle encrypted values, not knowing the actual session ID behind it. The manager REST endpoints would decrypt the session id before searching it in session backend. I'll try working on a prototype
@guimard what do you think of this approach?