Set app session ID in app session cert correctly #39971
Conversation
Joerger
changed the title
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
Joerger
added
the
no-changelog
|
This confused the heck out of me when troubleshooting an earlier issue this year. I'm not sure the fix is complete though. Should we remove the session ID from What about auditing? IIRC, the session ID that shows up in audit events is different than the session ID that shows up in the certs. |
Joerger
force-pushed
the
joerger/remove-unused-app-session-uuid
branch
from
3a18042 to
72738f0
Compare
We do still want to need
Good point, I thought it was unreferenced but it is in fact used for audit events. Updated the PR to set the session ID correctly instead of not at all. Note: I originally mentioned this could degrade security, as someone who gained access to the web session key and cert could use it to connect to the app through the proxy as if using local app certs. This was all quite theoretical, and since we are making app sessions secret it really shouldn't be exploitable. |
Joerger
changed the title
|
@strideynet @tcsc friendly ping to review |
During my deep dive into App Access for Per-session MFA I discovered the app session ID on the actual app session certificate was set to a random UUID instead of the actual app session ID. Since the app session ID on the app session certs are not actually used for routing, unlike local app certs, this only affected audit events. You would see a random UUID instead of the app session ID.
Note: although this app session ID is a crypto-token and is used as a cookie in http requests, it is not a secret. It does not provide access unless it is paired with the app session bearer token.