Server Model: PHP
DB: MySQL
Hosting: AWS
When we open the website, a PHP Session ID is setup in the cookies on the browser.
After login (as admin), the Session ID remains the same.
I can use that Session ID to make requests from a tool like Postman as well.
Then after logout, Session ID still remains the same on the browser.
At this point when I make requests from Postman - it is denied - which is good.
Then again login as a user on the same browser, the Session ID is the same still!
Requests from Postman using this Session ID to access admin only Wappler APIs are failed - which is good. Only those APIs work which the user has access to.
Then after logout, the Session ID still remains the same.
The only problem here is that a security firm who audit this web app (services enlisted by client themselves) - has raised this as a High
Severity issue with Firm
confidence.
And this is the remediation info shared by the sec firm:
It should be done using session management features of PHP application server using session_start(), session_regenerate_id() or other appropriate mechanisms.
Can Wappler make changes to reset Session ID at these touch points (security login/security logout perhaps)?
I suspect same issue might apply to Node.JS as well - if yes, request similar changes to reset Session ID there as well please!
Last updated: