Last modified: 2013-04-22 16:15:51 UTC
CentralAuth is vulnerable to Session Fixation attacks [0]. It uses the existing session id from a browsers cookie when setting up the CentralAuth session, without resetting the value. [0] - https://www.owasp.org/index.php/Session_fixation If an attacker can set a cookie with the name 'centralauth_Session' with a known value on a victims browser and the victim later logs in, the attacker can impersonate the victim by using the CentralAuth session id with the chosen value.
Attachment on bug 40747 (http://bug-attachment.wikimedia.org/attachment.cgi?id=11200) fixes this
Using CVE-2012-5395 to track this
Created attachment 11353 [details] Generate new Session ID for CentralAuth on login
The patch looks good.
Merged Gerrit change #36094 links here, bug maybe resolved