[FIX] web: rotate session identifiers after login/logout

As recommended by OWASP https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change Closes #6760
2015-05-18 23:41:16 +01:00 · 2015-05-18 23:41:16 +01:00 · 31d817e849
parent d5aa22ea5f
commit 31d817e849
1 changed files with 7 additions and 0 deletions
--- a/openerp/http.py
+++ b/openerp/http.py
@ -917,6 +917,7 @@ class OpenERPSession(werkzeug.contrib.sessions.Session):
        self.inited = True
        self._default_values()
        self.modified = False
+        self.rotate = False

    def __getattr__(self, attr):
        return self.get(attr, None)
@ -948,6 +949,7 @@ class OpenERPSession(werkzeug.contrib.sessions.Session):
            uid = dispatch_rpc('common', 'authenticate', [db, login, password, env])
        else:
            security.check(db, uid, password)
+        self.rotate = True
        self.db = db
        self.uid = uid
        self.login = login
@ -973,6 +975,7 @@ class OpenERPSession(werkzeug.contrib.sessions.Session):
            if not (keep_db and k == 'db'):
                del self[k]
        self._default_values()
+        self.rotate = True

    def _default_values(self):
        self.setdefault("db", None)
@ -1369,6 +1372,10 @@ class Root(object):
            response = result

        if httprequest.session.should_save:
+            if httprequest.session.rotate:
+                self.session_store.delete(httprequest.session)
+                httprequest.session.sid = self.session_store.generate_key()
+                httprequest.session.modified = True
            self.session_store.save(httprequest.session)
        # We must not set the cookie if the session id was specified using a http header or a GET parameter.
        # There are two reasons to this: