Dear Miller,
Thanks a lot for your reply
I have mentioned your solution in my security team. They are very happy to your solution and asked one questions in related to
Session Identifier Not Updated
They have concern as below given.
Session identifier not updating : this has again... nothing to do with session identifier complexity.... Irrelevant! :
DEMO -- as follows
When we do first login :
Value of MoodleSession Identifier = 100oekkrtfcud38jb82u1mfs23
Then, I logout and Login again :
After that, once log in again, I check again the session ID, I should have a New session ID
that it's not the case :
As you can see below, the Moodle session Identifier is the same, so, it has not been updated (and we are not speaking about complexity of it....), means too that the user's session has not been
killed after the logout..
What is the risk ?
The risk is that the session can be reused by an hacker after the victim logout out of the
application. And the hacker does not need to know the victim credential.
The support could reply that as the MoodleSession cookie is secure, it's impossible to get it through the network because it's not transmit out of SSL/TLS connexion.
Can you please check this issue as per my understanding its because of Moodle old version 1.9.5 ?
Thanks
Vinod Kumar