Bug: Session Variable Inconsistency in verify_user.py
Severity: Medium
CVSS: 5.3
Description
In verify_user.py, the verification_code is stored as a global variable instead of in the session. This creates inconsistencies:
- Global variable persists across requests (security risk)
- Not tied to specific user session (multi-user issues)
- Not cleared after successful verification
Current Code (Line 51)
Fix Required
- Store verification_code in session:
- Clear session variable after successful verification
- Add session timeout for verification codes (e.g., 15 minutes)
References
- Session management best practices
- CWE-613: Insufficient session expiration
Bug: Session Variable Inconsistency in verify_user.py
Severity: Medium
CVSS: 5.3
Description
In verify_user.py, the verification_code is stored as a global variable instead of in the session. This creates inconsistencies:
Current Code (Line 51)
Fix Required
References