2

I have this application where you create a session cookie like so:

$session = CGI::Session->new() or die CGI::Session->errstr;
$cookie = CGI::Cookie->new(-name=>$session->name, -value=>$session->id,-expires=>'+2h', -secure => 1 );

And then set the header like this:

print $q->header(-cookie=>$cookie);

I need to change the session ID of this cookie upon logging in to the application (in a smiliar manner to php's session_regenerate_id ). Is there anyway of doing this in Perl? I've been looking through the documentation and I can't find any ways of doing this really. If not, other suggestions on how to solve this are welcomed.

simbabque
  • 53,749
  • 8
  • 73
  • 136
sjottil
  • 43
  • 6
  • It looks like there is indeed no built-in way in CGI::Session to do that. You might need to create a second session object to utilize the session id generator, and then either move stuff over to the new one. Simply updating the id in the session object will not work as that would not trigger a write to the data sink. You could implement that as a subclass of CGI::Session so it becomes a method that replaces the object you already have. – simbabque Jan 12 '16 at 14:28
  • Why would you want to do that? Is it because you want to start a fresh session? Then do that! – ikegami Jan 12 '16 at 15:55
  • 1
    @ikegami it has to do with session fixation attacks. See http://stackoverflow.com/a/22965580/1331451 and maybe http://security.stackexchange.com/q/37559/21265. It seems to be a valid point to do it, but CGI::Session probably predates the time this attack type was given a name. – simbabque Jan 12 '16 at 16:12
  • @simbabque, I see. But that type of attack doesn't work if you accept the session id from cookies since the third-party can't set a cookie for your site. – ikegami Jan 12 '16 at 16:28
  • @ikegami well, it should not work if you only accept it from a cookie, but there might be a way to get a cookie onto the target machine. Of course it's questionable whether the attacker would go through that kind of trouble if they already have the means to alter a cookie on the target. This feature comes at little cost, though, so it's probably not a bad idea to do it. I thought I'd seen an implementation with Dancer or Dancer2, but I can't find it right now. – simbabque Jan 12 '16 at 16:45
  • 1
    @simbabque, Re "there might be a way to get a cookie onto the target machine", XSS. But if they can do that, ... – ikegami Jan 12 '16 at 16:51
  • @simbabque, I seem to have some trouble with what you suggested as creating a second session object with $newSession = CGI::Session->new() or die CGI::Session->errstr; only will return the value of the first one. So what I tried was then deleting the first session cookie and adding a new session object, but this kicks the user out of the application. Any ideas? – sjottil Jan 13 '16 at 15:12
  • You have to create a new session object, move all the data from the old one to the new one, delete the old one in your data sink and send the session id of the new session to the client. – simbabque Jan 13 '16 at 15:25

0 Answers0