Can i assign my own session0|sessionid or cookie using JSON-RPC?

Question

I've been able to login my credentials by just using this kind of address in the browser
"h t t p s://localhost:8080/web/webclient/login?db=MyDB&login=myusername&key=mypassword&session_id=994f75a93ac949489423368d0e528109" in which the value for the session_id is a result from connecting via JSON-RPC in C#.
However, I think no cookie is set because when I try to browse just the localhost:8080 from a different tab I am redirected to the login page and not the opened home page of the account though

Mohammad Alhashash · Accepted Answer

The web module looks for the session id in cookies variable sid . If it is not set, it looks for the request variable sid . So sending sid in request URL works just like in cookie.

The session cookie is only set by the request handler only if the response already has set_cookie which happens at login. Since you are already logged-in for this session by the JSON-RPC client, the session cookie will not be set.

Check the method Root.dispatch() in the web module.

Mohammed Mansour · Answer

@ Mohammad Alhashash [1]  your answer was (You may also modify Root.dispatch() to addresponse.set_cookie('sid', session.sid) in case of sid is read from url parameter.) and this gives the attacker the opportunity to use the session fixation method for hacking the system users by setting sid="WHATEVER_VALID_SESSION_ID" in the url.

[1] https://www.odoo.com/forum/help-1/partner/72018

관련 게시물	답글	화면
Odoo(OpenERP) Cookie Session ID Issues ? session cookie hack session_id	0 3월 15	6953
Cookies validity date value is too long, it is a security issue. How can it be reduced? chrome session cookie session_id cookies	2 9월 20	6215
Server Action to correct POS session opening and closing date session	1 5월 25	1298
How do I get the Website Cookie bar to popup only once at the home page? cookie	1 1월 23	2605
session timeout odoo 13 session	0 2월 22	3280

신고된 질문입니다

토론이 재미있으신가요? 직접 참여해보세요!