Description

This is part of an audit that WhiteSouce did on our site (see: #2052).

Our site does not properly invalidate a user’s session even after the user initiates logout. It makes it possible for an attacker to reuse the admin cookies either via local/network access or by other hypothetical attacks.

Vulnerable code: https://github.com/ifmeorg/ifme/blob/v.7.31.2/app/helpers/header_helper.rb#L53

Reproduction Steps

In dev: Access the application by going to http://localhost:3000/users/sign_in and login with admin cred. Use edithiscookie extension and copy the cookie values and then logout of the application. Now, go to editthiscookie and import the copied cookies and refresh the page. After we refresh the page, we see that we are again logged in to the account.

1. Access the application by going to http://localhost:3000/users/sign_in and login with admin cred.

Email: admin@example.com
Password: passworD@99

2. Use edithiscookie extension and copy the cookie values and then logout of the application.

3. Now, go to editthiscookie and import the copied cookies and refresh the page.

4. After we refresh the page, we see that we are again logged in to the account.

Expected result: we should not be able to log back in with the copied cookies. They should be expired. We'll want to update configuration in the gem we use for authentication called Devise. This post may be helpful!

Please assign yourself (via the Assignees dropdown), if you do want to work on this issue. Can't find yourself? You need to join our organization.

Check out our Picking Up Issues guide if you haven't already!