fix(security): [CWE-613] enforce session validation

[WilliamNHarvey]

Security Fix: CWE-613 — CookieSessionManager.Current does not enforce Session.Validate

Summary

Field	Value
Application	cookies
Severity	medium
CWE	CWE-613
Category	auth/session
File	sessions.go:30
Confirmed	yes

Vulnerability Description

The Session interface declared Validate(*http.Request) error, but CookieSessionManager.Current only decrypted and decoded the cookie through SecureCookieManager.Get. It returned that decrypt/decode error directly and never invoked the validation hook. Consumers expecting Current to enforce expiration, revocation, request binding, or other session validity checks could accept validly encrypted but invalid sessions.

Proof of Exploit

The proof harness seeded a valid encrypted session whose Validate method always returned an error and incremented a counter. CookieSessionManager.Current returned nil, decoded the session, and left the validation counter at zero. Runtime startup was intentionally disabled for this static Go library; the issue is source-confirmable because the missing call was in the deterministic library control flow.

Data Flow

Request cookie -> CookieSessionManager.Current -> SecureCookieManager.Get decrypts and decodes into the caller-provided Session -> Current returned without calling sess.Validate(req) -> invalid session state could be accepted by the caller.

Changes Made

CookieSessionManager.Current now returns decrypt/decode errors first and calls sess.Validate(req) after a successful decode. Regression tests cover both failing validation and successful validation, including that decoded session data is still available.

Before / After

Before:

func (sm *CookieSessionManager) Current(req *http.Request, sess Session) error {
	_, err := sm.cm.Get(req, sm.name, sess)
	return err
}

After:

func (sm *CookieSessionManager) Current(req *http.Request, sess Session) error {
	if _, err := sm.cm.Get(req, sm.name, sess); err != nil {
		return err
	}

	return sess.Validate(req)
}

HIPAA / PII Impact Assessment

This fix strengthens session validity enforcement for consuming services that may gate PHI/PII access through cookie-backed sessions. It does not log, expose, or store patient data.

Testing

• Regression test added or exact existing spec cited: go test -v ./...
• Existing tests pass
• Proof-of-exploit no longer works after fix
• No regression in authentication/authorization flows
• RuboCop/lint passes for changed Ruby files: N/A, Go library; go vet ./... passed

QA

This repository is a backend Go library/package with no browser, admin UI, or running service surface. Manual validation is local/API-level:

1. Run go test -v ./....
2. Confirm TestCookieSessionManagerCurrentEnforcesSessionValidate returns the validation error and records one Validate call.
3. Confirm TestCookieSessionManagerCurrentReturnsNilWhenSessionValidates still returns successfully when validation passes.

Reviewers

Ready-for-review PRs request @doximity/security_guild_reviewers (AppSec) plus
CODEOWNERS for the changed paths. Draft PRs intentionally defer security-guild
review requests until the PR is validated and marked ready. Both must approve
before merge.

---

This PR was auto-generated by the security-auditor agent.
The "Agent run cost" block is appended to this description automatically after
the audit run completes.