Jump to content

User Password Stored In Cookie Instead Of Session Variable?

L3Y

By L3Y
in Bugs

 Share

Recommended Posts

L3Y Newbie

L3Y

Posted
Posted

Hi,

 

While working on our Blesta, i saw when a user log in, there is a session cookie created with csrf_token. 

 

It looks like this : Cookie: COOKIENAME_cookie=fd3ukp7hf6757hhjsdfkj6
_csrf_token=98a19b5599909cd47f55619f484a42b1828771674264f85f952c6360a1f&username=email%40hotmail.com&password=MY_PASSWORD_HERE;}

 

While i do realize this can be secure, in certain conditions, and there might be some very good reasons for this behaviour in Blesta, well....  ....let's say my ip is changing while i am logged into Blesta : it doesn't log me out!

 

I want PCI Compliance with Blesta, as much as possible. Someone can clarify on this?

 

Thank you

Michael Apprentice

Michael

Posted
Posted

Why does Blesta doesn't log off a user if the user ip address has changed?   

 

Blesta allows admin logins time out if the ip changes which is more important. I don't do cookies so can't comment on that.

Paul Rising Star

Paul

Posted
Posted

Cody is right. Additionally, you can prevent session hijacking by enabling the "Log Out On IP Address Change" option for your staff group under Settings > System > Staff > Staff Groups Edit. If enabled, staff belonging to the group will be logged out if their IP address changes.

Tyson Newbie

Tyson

Posted
Posted

It looks like this : Cookie: COOKIENAME_cookie=fd3ukp7hf6757hhjsdfkj6

_csrf_token=98a19b5599909cd47f55619f484a42b1828771674264f85f952c6360a1f&username=email%40hotmail.com&password=MY_PASSWORD_HERE;}

 

It seems like you're confusing two separate things: the cookie versus a POST request.

 

Logging into Blesta will need to send the login credentials to the server, so there will be a POST request containing the username, password, and CSRF token. After successfully logging in, a cookie will be created with the session ID. I would suggest taking a closer look at the content of the cookie.

L3Y Newbie

L3Y

Posted
  • Author
Posted

Blesta allows admin logins time out if the ip changes which is more important. I don't do cookies so can't comment on that.

 

I tried to login to a client account while i was loggued as an admin, then i changed my ip address, and i've never been loggued out.

Therefore this function should also apply to the client area,

 

As far as i can see, there are ways to mitigate this problem.  However, this is not the same as an improvement on session management in Blesta.

 

Secure cookie management is also a requirement for PCI Compliance : http://blog.elementps.com/element_payment_solutions/2013/12/new-pci-dss-session-management-requirements-.html

 

Can we achieve real PCI Compliance with Blesta?

 

Thank you :blesta:   ...and don't think i am saying here Blesta is not good compared with other : i saw similar stuff on other billing systems also.   However, i expect more from Blesta than the others, just because it comes from peoples who are trying to produce a better code base than any other billing solution.

L3Y Newbie

L3Y

Posted
  • Author
Posted

Cody is right. Additionally, you can prevent session hijacking by enabling the "Log Out On IP Address Change" option for your staff group under Settings > System > Staff > Staff Groups Edit. If enabled, staff belonging to the group will be logged out if their IP address changes.

 

Thank you for this clarification.   I always thought this line was related in some ways with the cookie itself, probably because it start with an underscore : (_).  I have learned something new, thank you for this.

 

I've updated my first post to avoid confusion with your other customers who may read this post.  :)  

 

However, due to the debug tag, i am still worried about mitm : http://www.blesta.com/forums/index.php?/topic/4533-debug-tag-added-by-default-in-the-universal-module/ 

Is there any way i can disable this tag in Blesta?  I tried to search in the code, but i cannot find the related function.  Where is it exactly?

 

...and also because it make use of some features who allow a third party to know what are the customer's and admin's ip addresses, and i did not saw any way to disable this in the admin (should you don't want this, removing it in the code is easy, however).

 

Also : what about a feature that would allow customers, and admins to restrict their account access to only one (or more) ip addresses?  Should be a goody  workaround for eventual problems on this.  I am aware we can protect the admin, and the api this way, but what about the customer side?    So the same security we get in the admin should be available to our customers, no?

 

Thank you :blesta:

L3Y Newbie

L3Y

Posted
  • Author
Posted

Cody is right. Additionally, you can prevent session hijacking by enabling the "Log Out On IP Address Change" option for your staff group under Settings > System > Staff > Staff Groups Edit. If enabled, staff belonging to the group will be logged out if their IP address changes.

 

Hi,

 

I verified on this, and the "Log Out On IP Address Change" feature was enabled when i tested.

 

If my ip change, i am not logged off from Blesta    :wub:

 

Why this feature doesn't work?

Michael Apprentice

Michael

Posted
Posted

Hi,

 

I verified on this, and the "Log Out On IP Address Change" feature was enabled when i tested.

 

If my ip change, i am not logged off from Blesta    :wub:

 

Why this feature doesn't work?

Only works if you log in with the new ip.

Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...