cancel
Showing results for 
Search instead for 
Did you mean: 

Session Fixation 2.3

SOLVED
Highlighted

Session Fixation 2.3

Hello! I'm having issues with customer sessions, they don't seem to be invalidated on logout and I can't find a way of doing so; I've tried plugins and observers to explicitly destroy the session without luck. I must be missing something. 

 

To explain further, take the following example:

1) Open Burp suite (or some proxy) and login as a customer
2) Navigate to My Profile page
3) Capture the post request, copy to clipboard, and drop it.

4) Logout from customer my account

5) In Burp, paste the request into the 'Repeater'

6) Change some name value in the repeater dialog, e.g. john smith => not john

7) Send the request, follow re-directions... 200! 

8) Login as user again and see name change.

I would expect 4) to invalidate the session and 7) to return a 403 or at least a 200 with an error because the session is no longer valid and isLoggedIn() should be false anyway. Is this happening in your installation?

 

Additionally, I am very confused by the following:

// In Magento\Customer\Controller\Account\EditPost controller...
public function execute()
{
   $this->session->logout();
   if ($this->session->isLoggedIn()){
         // We get here somehow.
    }

....

Does anyone have experience with or can explain how Magento is handling sessions here?

 

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Session Fixation 2.3

For anyone experiencing this issue, the fix was to upgrade to 2.3.5 and use the following patch: 

 

diff --git a/vendor/magento/module-customer/Controller/Account/Logout.php b/vendor/magento/module-customer/Controller/Account/Logout.php
index 9344f482bd6..20b4fe30aa2 100644
--- a/vendor/magento/module-customer/Controller/Account/Logout.php
+++ b/vendor/magento/module-customer/Controller/Account/Logout.php
@@ -4,8 +4,11 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Customer\Controller\Account;
 
+use Magento\Customer\Api\SessionCleanerInterface;
 use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Framework\App\Action\HttpGetActionInterface;
 use Magento\Customer\Model\Session;
@@ -36,14 +39,23 @@ class Logout extends AbstractAccount implements HttpGetActionInterface, HttpPost
     private $cookieMetadataManager;
 
     /**
+     * @var SessionCleanerInterface
+     */
+    private $sessionCleaner;
+
+    /**
      * @param Context $context
      * @param Session $customerSession
+     * @param SessionCleanerInterface|null $sessionCleaner
      */
     public function __construct(
         Context $context,
-        Session $customerSession
+        Session $customerSession,
+        SessionCleanerInterface $sessionCleaner = null
     ) {
         $this->session = $customerSession;
+        $objectManager = ObjectManager::getInstance();
+        $this->sessionCleaner = $sessionCleaner ?? $objectManager->get(SessionCleanerInterface::class);
         parent::__construct($context);
     }
 
@@ -85,6 +97,7 @@ class Logout extends AbstractAccount implements HttpGetActionInterface, HttpPost
         $lastCustomerId = $this->session->getId();
         $this->session->logout()->setBeforeAuthUrl($this->_redirect->getRefererUrl())
             ->setLastCustomerId($lastCustomerId);
+        $this->sessionCleaner->clearFor((int)$lastCustomerId);
         if ($this->getCookieManager()->getCookie('mage-cache-sessid')) {
             $metadata = $this->getCookieMetadataFactory()->createCookieMetadata();
             $metadata->setPath('/');

I hope this helps anybody finding themselves here. I would imagine that more recent versions of Magento now include this patch. 

 

 

 

 

View solution in original post

3 REPLIES 3
Highlighted

Re: Session Fixation 2.3

Hello @john_plesner ,

 

I had this same problem few months back that when I was trying to logout the customer, and again I tried to access dashboard page, it was showing the previous customer name, but when I click on any link(page) from dashboard which was not cached, it was redirecting me to logout.

Please check this scenario first if this is occurring with you too, try to hard reload(ctrl + f5), go to different pages of customer.

and if this is occurring with you, update cache false for my dashboard page.

Problem Solved ? Click on 'Kudos' & Accept as Solution to encourage to write more answers !

Re: Session Fixation 2.3

Hi @gaurav_harsh1 

 

I appreciate you response and I apologise if I didn't explain correctly.

 

Unfortunately this is not the issue I am concerned with. The actual functionality of the site works correctly and always has. The concern is related to session security; if an attacker captures a user's session, they are able to use that session to submit forms even after the customer has logged out (i.e their session has ended). 

 

It seems that the session doesn't 'end' (become invalidated) as expected. Instead the same session ID can be used to submit forms.

Highlighted

Re: Session Fixation 2.3

For anyone experiencing this issue, the fix was to upgrade to 2.3.5 and use the following patch: 

 

diff --git a/vendor/magento/module-customer/Controller/Account/Logout.php b/vendor/magento/module-customer/Controller/Account/Logout.php
index 9344f482bd6..20b4fe30aa2 100644
--- a/vendor/magento/module-customer/Controller/Account/Logout.php
+++ b/vendor/magento/module-customer/Controller/Account/Logout.php
@@ -4,8 +4,11 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Customer\Controller\Account;
 
+use Magento\Customer\Api\SessionCleanerInterface;
 use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Framework\App\Action\HttpGetActionInterface;
 use Magento\Customer\Model\Session;
@@ -36,14 +39,23 @@ class Logout extends AbstractAccount implements HttpGetActionInterface, HttpPost
     private $cookieMetadataManager;
 
     /**
+     * @var SessionCleanerInterface
+     */
+    private $sessionCleaner;
+
+    /**
      * @param Context $context
      * @param Session $customerSession
+     * @param SessionCleanerInterface|null $sessionCleaner
      */
     public function __construct(
         Context $context,
-        Session $customerSession
+        Session $customerSession,
+        SessionCleanerInterface $sessionCleaner = null
     ) {
         $this->session = $customerSession;
+        $objectManager = ObjectManager::getInstance();
+        $this->sessionCleaner = $sessionCleaner ?? $objectManager->get(SessionCleanerInterface::class);
         parent::__construct($context);
     }
 
@@ -85,6 +97,7 @@ class Logout extends AbstractAccount implements HttpGetActionInterface, HttpPost
         $lastCustomerId = $this->session->getId();
         $this->session->logout()->setBeforeAuthUrl($this->_redirect->getRefererUrl())
             ->setLastCustomerId($lastCustomerId);
+        $this->sessionCleaner->clearFor((int)$lastCustomerId);
         if ($this->getCookieManager()->getCookie('mage-cache-sessid')) {
             $metadata = $this->getCookieMetadataFactory()->createCookieMetadata();
             $metadata->setPath('/');

I hope this helps anybody finding themselves here. I would imagine that more recent versions of Magento now include this patch. 

 

 

 

 

View solution in original post