|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (3 fixed, 24 open), 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (4 fixed, 23 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -238,6 +238,19 @@
|
|
|
hardening regenerates on `initiate()` *before* redirecting to the
|
|
|
IdP.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed in `2a57589`. `OidcController::initiate` now calls
|
|
|
+ `SessionManager::regenerateId()` at the top, before delegating to the
|
|
|
+ authenticator that stashes `state`, `nonce`, and the PKCE
|
|
|
+ `code_verifier` in `$_SESSION`. The OIDC handshake state is therefore
|
|
|
+ bound only to a freshly rotated session id; any pre-fixated cookie is
|
|
|
+ invalidated at this moment. The post-callback rotation is unchanged
|
|
|
+ (defeats anything carrying over). Per F8, the rotation now also
|
|
|
+ fail-closes if response headers were already sent, so it cannot
|
|
|
+ silently no-op. Regression test in
|
|
|
+ `ui/tests/Integration/Auth/OidcFlowTest.php`
|
|
|
+ (`testInitiateRotatesSessionIdBeforeAuthenticate`) captures
|
|
|
+ `session_id()` inside a fake authenticator and asserts it differs
|
|
|
+ from the pre-request id.
|
|
|
|
|
|
### F10 — Open redirect via attacker-controllable `next` parameter
|
|
|
- **Files:** `ui/src/Auth/SessionManager.php:139-150` (`setNext` /
|
chiappa