Moodle in English: Session key in URLs?

Session key in URLs?

by Dan Ballance - Wednesday, April 21, 2010, 10:03 PM

Hi folks,

We have recently put one of our Moodle's (1.9.8) through penetration testing at the request of a client. Most of the issues are quickly solvable - a couple we may alert you to via the tracker once confirmed as issues in Moodle core and not our own code/configuration.

One point raised was the use of session keys in URLs. The worry being about these being obtained via proxy server caches and the like.

I've been told by one of the Moodle development team that it is not possible to switch this functionality off. Just wondering what the advice is to feed back to the client?

I guess my first take on this is to make sure the session time-out is set to 10 mins or so, so then the session key is only of value for a short period of time...

Any views or comments people want to share about this here?

Many thanks,

dan

Re: Session key in URLs?

by Hubert Chathi - Wednesday, April 21, 2010, 11:38 PM

Note that the session key that is present in (some) URLs is not the same as your Moodle session ID. You cannot log in with someone else's session key -- the session key is an extra piece of information that is used to prevent cross-site request forgery. (In short, the session key prevents someone from tricking another user into clicking a link that causes Moodle to perform some action -- without the right session key, Moodle will refuse to perform the action.)

Average of ratings: -

Re: Session key in URLs?

by Dan Ballance - Thursday, April 22, 2010, 7:45 PM

Thanks very much for the clarification - you are of course exactly right

Average of ratings: -

Re: Session key in URLs?

by Christien Paul - Thursday, August 26, 2010, 9:54 AM

So how do you create links to include the session key? I'm trying to install this uploadevent.php script I found here; http://moodle.org/mod/forum/discuss.php?d=19456&parent=94400

It says add a link to the admin/index.php file
Although i want the link to appear in the admin_tree_block

Please advise,
CP

Average of ratings: -

Re: Session key in URLs?

by John Grobler - Wednesday, October 6, 2010, 2:32 PM

Good day Dan,

May I ask which tool(s) did you use to perform the Moodle penetration testing?

Thank you,
John Grobler

Average of ratings: -

Re: Session key in URLs?

by Lars-Olof Krause - Wednesday, October 6, 2010, 6:42 PM

If you want to make sure Session-Information (Cookie / Sessionkey) is safer you could use the PHP-Extension Suhosin, where you can Encrypt this information with several user-data in the key. f.e. the user-agent, IP-Adress (or parts of it)

We (a group of students from FH Gießen-Friedberg - University of Applied Sciences) developed an admininterface for the extention to use in Moodle.

Additional we developed an Moodle-Plugin which contains PHP-IDS as Intrusion-Detection- and Prevention-System, so f.e. the use of SQL-Injektions, which is already escaped by the moddle-core, is loged and can cause penalties for the user.

Our Plugins are developed on the newes moodle version 2, so you can't use this plugins right now, but will be able to, when moodle 2 developement is stable (at the moments its RC1) and you decide to upgrade.

Our Plugins are available at http://sourceforge.net/projects/hardeningmoodle/files/

Average of ratings: -

Security and privacy

Session key in URLs?