Fix security issue with basic auth demo implementation in test code #153

Merged
merged 1 commit into from May 21, 2012

Conversation

Projects
None yet
2 participants
Contributor

yeurch commented May 21, 2012

When a request for a secure resource was received with a cookie named ss-session, the request filter just checked that the cookie started with {username}/. This means that anyone with knowledge of the username could bypass the security mechanism by fabricating a cookie value (e.g. user/abcdef).

The change in this commit tracks the GUID used in the ss-session cookie, so that subsequent requests using the cookie to authenticate must provide both the username AND the GUID, in the form {username}/{guid}.

Each time a request is submitted using the basic auth header (rather than the previously issued cookie), then a new GUID is created which renders the old GUID obsolete.

mythz added a commit that referenced this pull request May 21, 2012

Merge pull request #153 from yeurch/reqfilterdemosecurity
Fix security issue with basic auth demo implementation in test code

@mythz mythz merged commit aa45023 into ServiceStack:master May 21, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment