Hello Team,
I am login with admin and copy the moodlesession key value from the cookies tab and logged in with the student user using private browser and open the cookies tab from the application in the chrome tab and paste the admin moodlesession value in student cookies and refresh the page then admin gets login there.
I have tried moodle sangbox as well and having same issue there and I think It's a major security issue if someone gets user moodlesession vakue. is there any way to handle this?
IMHO , this is not an issue, it's only how every website session management actually works in the world.
But what about security, using the moodlesession value anyone can log in without a username and password.?
Yes, you are stealing a session identifier, that's why we usually protect the transmission of this information with HTTPS protocol, to avoid that anyone can steal it.
You are attacking your browser, not moodle.
You are attacking your browser, not moodle.