Session token Id should be generated in a random way
Description
The session token Id should be generated in a random way to avoid collision between several connections. Since it is possible to Activate an already active session with a different Secure Channel, but same user identity, if 2 connections use same user credential it is possible for a connection to re-use an old session token by mistake or even guess a possible session token. Then the session is transferred from a connection to the other and the session becomes suddenly not valid anymore for the first connection.
With a secure connection the problem is not possible due to the client signature which prove the possession of the last server Nonce
Moreover if a connection uses a session Id not associated with the secure channel, the session is closed but the secure channel is not.
Fixes
- Close the secure channel using an invalid session token instead of closing the session (and not the SC): see
server_validate_session_service_req
- Generate random session token to avoid tthe possible collisions between connections with same credentials