Hey folks,
We're diving in to set up tokens in preparation for V12 and have come to notice that our token values are coming out as the SAME thing as the session key! They are properly written to the token table as the token.value, But this just seemed a little odd...
Can anyone confirm or deny that this is the proper functionality? Does anyone know how this value gets generated? I didn't see any reference to a web.config or otherwise for its setup.
Thanks,James
Hi James
Yup, The token is simply a session key, as far as I can see. I suspect it borrows the session key of the session that generates the request, but I haven't checked.
Ken
Thanks, Ken. That seemed kinda funny, but i guess that's how it goes! As long as our setup isn't incorrect...
James
Wait, now that I think about it, isn't this a big security leak? Let's say someone who wants to hijack an account starts by setting up an account, then changing the password. They observe that the session id and the token match. Can't they now just do a request for any login? They need not receive email at that account, they can construct the token url manually from their knowledge of their own session id, get in and change the account password to whatever they like.
Yea, I wasn't gonna go there...but I agree. Without getting into the specifics of the vulnerability, I thoght the purpose of the token was to abstract the session and allow for an expire-able reset token. But not to expose the session!!
Absolutely fair comments here. We've been thinking into changing the token structure for v12 and we'll make sure that it gets done.