|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (2 fixed, 25 open), 42 sev-1.
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (3 fixed, 24 open), 42 sev-1.
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -210,6 +210,21 @@
|
|
|
session fixation). Should fail-closed instead of silently
|
|
|
no-op'ing.
|
|
|
- **Severity: 2**
|
|
|
+- **Status:** Fixed in `f811b25`. `SessionManager` now distinguishes a
|
|
|
+ CLI/test mode (auto-detected from `PHP_SAPI === 'cli'`, overridable
|
|
|
+ via constructor) from HTTP mode. In HTTP, both `regenerateId()` and
|
|
|
+ `clear()` throw `\RuntimeException` when `headers_sent()` is true,
|
|
|
+ surfaced by Slim as a 500 so the operator chases the upstream output
|
|
|
+ bug rather than silently leaving the pre-auth cookie valid. Under CLI
|
|
|
+ (PHPUnit), a manual rotation path resets `session_id()` and preserves
|
|
|
+ `$_SESSION`, matching `session_regenerate_id(true)` semantics for
|
|
|
+ tests. The `headers_sent()` call is also routed through an injectable
|
|
|
+ closure so unit tests can drive the HTTP fail-closed path without a
|
|
|
+ real web server. Regression tests in
|
|
|
+ `ui/tests/Unit/Auth/SessionManagerTest.php`
|
|
|
+ (`testRegenerateIdThrowsInHttpModeWhenHeadersSent`,
|
|
|
+ `testClearThrowsInHttpModeWhenHeadersSent`,
|
|
|
+ `testCliFallbackRotatesIdAndPreservesSession`).
|
|
|
|
|
|
### F9 — OIDC session id not regenerated *before* the handshake starts
|
|
|
- **Files:** `ui/src/Auth/OidcController.php:39-47, 89`,
|
chiappa