Migration of GAM Integration Module to GX17U3 or higher

Security is one of the top priorities of K2BTools. With support of the GeneXus Consulting security team, we usually make improvements over the GAM Security module provided by GeneXus.

Since K2BTools 11, code was added in the GAM integration module to mitigate a session fixation attack. In version 17 Upgrade 3, GeneXus mitigates this problem (see SAC #49392), making this extra protection unnecessary.

Moreover, due to the these fixes, developers migrating from versions of GX lower than GX17U3 to GeneXus 17 U3 or higher MUST make some changes.

Issues caused by the fix

  • Access denied, at execution time, to all objects generated by K2BTools when using .Net generator
    The actual cause is that K2BIsAuthorizedActivityList always returns false.
  • Captcha is not shown in login screen after a failed login attempt.

Fixing the issues

K2BTools 13.1 or higher:

if no customizations were made to the GAM Integration Module or the modifications made can easily restored

  • Update GAM Integration module by executing K2BTools -> Install GAM Integration Module
  • Remove K2BFSG.SetAuthCookie and K2BFSG.ClearAuthCookie procedures from de KB

Otherwise the steps bellow must be followed.

Access Denied

We provide two ways of fixing the problem.

The first one is to import the following xpz UpdateK2BToolsSecurityModuleGX17U3.

The second one is to open the K2BIsAuthorizedActivityList procedure and remove the code in the red region


and change the K2BIsAuthenticated procedure so that it has the following code

If GAMUser.isAnonymous()
&IsAuthenticated = False
&IsAuthenticated = True


Captcha (UPDATED 21/05)

We provide two ways of fixing the problem.

The first one is to edit the Login object.

  • Import from here the domain K2BFGContants
  • In the 'ProcessLogin' subroutine before and after the call to the GamRepository.Login method, the code in green must be added. Additionaly the 'RenewSession' subroutine must be removed (and the calls to this subroutine).

K2BSessionGet.Call(K2BFSGConstants.SessionCaptchaActive, &CaptchaActive)
K2BSessionGet.Call(K2BFSGConstants.SessionCaptchaItem, &CaptchaRequiredText)

&LoginOK = GAMRepository.Login(&UserName, &UserPassword, &AdditionalParameter, &Errors )
K2BSessionSet.Call(K2BFSGConstants.SessionCaptchaActive, &CaptchaActive)
K2BSessionSet.Call(K2BFSGConstants.SessionCaptchaItem, &CaptchaRequiredText)


  • In the 'ProcessLogin' subroutine remove the line of code with : K2BFsg.Login.Call()
  • Remove the code in the U_Login subroutine and paste the following code

&URL = K2BSessionGet(K2BFSGConstants.SessionCaptchaRedirectURL)
If &URL.IsEmpty()
&URL = GAMRepository.GetLastErrorsURL()

// First, check If a captcha is needed
&IncorrectLoginsExisted = CaptchaShouldBeRequired(&LogOnTo, &UserName)
If &IncorrectLoginsExisted
&CaptchaIsCorrect = EvaluateCAPTCHACorrectness(&CaptchaText)
If &CaptchaIsCorrect
Do 'ProcessLogin'
// Reload the web page (and generate a new captcha)
Do 'ActivateCaptcha'
K2BFSG.Login.Call() // Reaload login page to show errors
Do 'ProcessLogin'

  • Remove the code in the 'ActivateCaptcha' subroutine and add the following code

K2BSessionSet.Call(K2BFSGConstants.SessionCaptchaActive, !"true")
K2BSessionSet.Call(K2BFSGConstants.SessionCaptchaRedirectURL, &URL)


The second one is to import de Login object that can be downloaded in LoginObject. Warning: The login object will be overwritten, extra precaussions must be taken if login code or webform was customized.