Odoo is the world's easiest all-in-one management software. It includes hundreds of business apps:
CRM | e-Commerce | Accounting | Inventory | PoS | Project management | MRP | etc.
I've been able to login my credentials by just using this kind of address in the browser "h t t p s://localhost:8080/web/webclient/login?db=MyDB&login=myusername&key=mypassword&session_id=994f75a93ac949489423368d0e528109" in which the value for the session_id is a result from connecting via JSON-RPC in C#.
However, I think no cookie is set because when I try to browse just the localhost:8080 from a different tab I am redirected to the login page and not the opened home page of the account though I have not yet logout.
I want to ask if it is possible to assign my own value for session0|sessionid or cookie using JSON-RPC in C#?
The web module looks for the session id in cookies variable
sid. If it is not set, it looks for the request variable
sid. So sending
sid in request URL works just like in cookie.
The session cookie is only set by the request handler only if the response already has
set_cookie which happens at login. Since you are already logged-in for this session by the JSON-RPC client, the session cookie will not be set.
Check the method
Root.dispatch() in the
@Mohammad Alhashash your answer was (You may also modify Root.dispatch() to addresponse.set_cookie('sid', session.sid) in case of sid is read from url parameter.) and this gives the attacker the opportunity to use the session fixation method for hacking the system users by setting sid="WHATEVER_VALID_SESSION_ID" in the url.
About This Community
This platform is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.Register
Odoo Training Center
Access to our E-learning platform and experience all Odoo Apps through learning videos, exercises and Quizz.Test it now
|Asked: 2/18/13, 9:09 AM|
|Seen: 4371 times|
|Last updated: 3/16/15, 8:10 AM|