Index: openacs-4/packages/acs-tcl/acs-tcl.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v
diff -u -N -r1.70.2.31 -r1.70.2.32
--- openacs-4/packages/acs-tcl/acs-tcl.info 21 May 2019 11:19:34 -0000 1.70.2.31
+++ openacs-4/packages/acs-tcl/acs-tcl.info 5 Nov 2019 10:12:58 -0000 1.70.2.32
@@ -9,7 +9,7 @@
f
t
-
+
OpenACS
The Kernel Tcl API library.
2017-08-06
@@ -18,7 +18,7 @@
GPL version 2
3
-
+
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.78.2.63 -r1.78.2.64
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 12 Sep 2018 08:30:37 -0000 1.78.2.63
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 5 Nov 2019 10:12:58 -0000 1.78.2.64
@@ -248,6 +248,17 @@
} else {
set auth_level ok
}
+ #
+ # In case there is no session_id, do not trust the
+ # provided cookie, since it might be stolen. In
+ # general, session cookies are recreated on the fly
+ # for the current user, but we do not want this in
+ # cases, when we have already a "valid" login cookie.
+ #
+ if {[ad_conn session_id] eq ""} {
+ ns_log warning "downgrade auth_level of user $untrusted_user_id since session_id invalid"
+ set auth_level expired
+ }
}
}