Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 314
    • Issues 314
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 8
    • Merge requests 8
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2350
Closed
Open
Issue created Oct 12, 2020 by Maxime Besson@maxbes🔧Maintainer

[security:low] Hiding session ids from the manager

Environment

LemonLDAP::NG version: 2.0.9

Summary

During a security audit for one of our users, the auditors were surprised to see that SSO session ids are easily accessible to manager users (in the session browser). Those IDs allow spoofing of the target user, simply by setting the lemonldap cookie.

Solutions

Hiding the session ID from session details is not enough because browser initiated AJAX calls use the session ID as a key.

The simplest aproach might be to encrypt session identifiers with the config crypto secret before returning them in AJAX queries. This way the manager would only handle encrypted values, not knowing the actual session ID behind it. The manager REST endpoints would decrypt the session id before searching it in session backend. I'll try working on a prototype

@guimard what do you think of this approach?

Edited Oct 14, 2020 by Christophe Maudoux
Assignee
Assign to
Time tracking