Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session hijacking attack #262

Open
pbonito opened this issue Jul 31, 2024 · 1 comment
Open

Session hijacking attack #262

pbonito opened this issue Jul 31, 2024 · 1 comment

Comments

@pbonito
Copy link

pbonito commented Jul 31, 2024
edited
Loading

Hi team,
we found a problem related to session cookie generated by authservice (__Host-AIS_session).

  • Login with 2 different account (UserA,UserB) from 2 different browser
  • Replace the cookie value of UserB with one from UserA
  • Refresh browser of UserB
  • Active session is transferred from UserA to UserB

How we can avoid this? Is there a way to tie __Host-AIS_session to browser cookie?

Thanks in advance for your help
@nacx
Copy link
Collaborator

nacx commented Oct 10, 2024
edited
Loading

I'm not fully understanding the problem:

Replace the cookie value of UserB with one from UserA

What do you mean by this, exactly? Is that replacement a manual thing a user would do?

The session cookie is configured with the HttpOnly and Secure flags. This means the cookie is only sent on HTTPS connections (preventing eavesdropping), and it won't be readable from javascript, so that malicious code injected int he client can't access it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nacx @pbonito