[Building Sakai] Why is session id null when getting session from /session/current?
Sam Ottenhoff
ottenhoff at longsight.com
Tue Mar 25 15:48:38 PDT 2014
Hi,
>
> When getting the current session from /session/current, the id is being
> set to null by this line in SessionEntityProvider:
>
> es.setId(null); // SAK-19669 - do not allow session id to be visible for
> current session
>
> What is the reason for hiding this?
XSS
> Isn't this the same id that is stored in the JSESSIONID cookie?
>
No
>
> For a little context, we're working on setting up some autotests to test
> out releases of our local sakai instance. We want to log in as an admin
> user at the start of a test suite and then use the session id to change to
> a different user by posting to /session. Unfortunately, we discovered that
> there's no way to access httpOnly cookies through chromedriver (it looks
> like chromedriver is using javascript to get cookies for the current page),
> so we can't get the session id from the cookie. We can use the become user
> tool as a workaround, but would prefer not to as that would be dependent on
> the sakai environment being tested.
I'm not following why manipulating cookies or session ids is a more valid
way to test a Sakai instance. Wouldn't using a real login or Become User
be a more valid way to simulate real user actions?
> Is there any harm in removing this line from our local instance?
>
If you want to discuss the ramifications, please join the sakai-security
list by sending an email to neal.caidin at apereo.org.
--Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140325/fc48ede6/attachment.html
More information about the sakai-dev
mailing list