Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SHA-512 hashing to session token in URL #7325

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add SHA-512 hashing to session token in URL #7325

wants to merge 1 commit into from

Conversation

surya-prakash-susarla
Copy link

This change adds SHA-512 hashing to the session token in the URL parameter to thwart visibility of session token which is currently being exposed through plain-text URL encoding.

@bradymiller
Copy link
Sponsor Member

hi @surya-prakash-susarla ,
Awesome to see security focused work. In this case, note that this is not a session id. Exposing it is not an issue since it is only use one time when loading the script and is then removed. There is an option that allows not removing it (so users can reset the screen without it breaking), which is off by default. But even in that case, an exposed hash can be used. The critical point i am making here though is that this is not a session id, so a bad actor can do nothing with this token value.

Let me know if i am missing something.

@surya-prakash-susarla
Copy link
Author

surya-prakash-susarla commented Apr 15, 2024
edited

Hello @bradymiller , thank you very much for taking a look at the change. I agree, the session token by itself seemed pretty harmless since it is randomly generated and has low potential for exploitation. I am unaware of the option to hide the token but considering that this is a randomly generated value which can be optionally used for extra security and is written to the logs, my idea was to increase the safety through hashing since it is minimally invasive and adds protection.

I also noticed in this section that there is a direct comparison of this value and felt that hashing the value coming into this comparison from the external source would be better:
interface/main/tabs/main.php

// Ensure token_main matches so this script can not be run by itself
//  If do not match, then destroy the session and go back to login screen
if (
    (empty($_SESSION['token_main_php'])) ||
    (empty($_GET['token_main'])) ||
    ($_GET['token_main'] != $_SESSION['token_main_php'])
) {
    // Below functions are from auth.inc, which is included in globals.php
    authCloseSession();
    authLoginScreen(false);
}
// this will not allow copy/paste of the link to this main.php page or a refresh of this main.php page
//  (default behavior, however, this behavior can be turned off in the prevent_browser_refresh global)
if ($GLOBALS['prevent_browser_refresh'] > 1) {
    unset($_SESSION['token_main_php']);
}

Please let me know what you think. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@surya-prakash-susarla @bradymiller @adunsulag