Jump to content

Change Session ID after successfull login


Darth Florus
 Share

Recommended Posts

Hi!:

My security deparment request to me to change the session ID (_S_ID value from ajax requests) after a successfull login.

I find no way to do this on UniGUI. I realize that is possible to change the session id via the UniSession.SessionID property, but If I make the change, I loose my session an it broke in invalid session.

There is a way to do that?

Thanks Pals and

Best Regards

Link to comment
Share on other sites

You can try the following:

After a successful login, save the current unigui session id to a log table with a timestamp and one time use flag. Terminate the current unigui session, redirect user to a special URL like /refreshsid?_S_ID=<your old session id>. As browser redirects to new URL unigui will generate a new session id. Check the old session id received from params[] to log table if exists then flag this user's mainmodule (it is recreated since you terminated the previous session) as logged in. So you have changed the session id after login without asking password again :)

It is easier if you to handle your login procedure manually instead of using unigui build in login form logic for the above case and many other cases.

Why the security guys ask to change session id after login? Aren't you using SSL always, before and after login?

  • Like 2
Link to comment
Share on other sites

  • 10 months later...
 Share

×
×
  • Create New...