Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session hijacking attack #262

Open
pbonito opened this issue Jul 31, 2024 · 2 comments
Open

Session hijacking attack #262

pbonito opened this issue Jul 31, 2024 · 2 comments

Comments

@pbonito
Copy link

pbonito commented Jul 31, 2024

Hi team,
we found a problem related to session cookie generated by authservice (__Host-AIS_session).

  • Login with 2 different account (UserA,UserB) from 2 different browser
  • Replace the cookie value of UserB with one from UserA
  • Refresh browser of UserB
  • Active session is transferred from UserA to UserB

How we can avoid this? Is there a way to tie __Host-AIS_session to browser cookie?

Thanks in advance for your help

@nacx
Copy link
Collaborator

nacx commented Oct 10, 2024

I'm not fully understanding the problem:

Replace the cookie value of UserB with one from UserA

What do you mean by this, exactly? Is that replacement a manual thing a user would do?

The session cookie is configured with the HttpOnly and Secure flags. This means the cookie is only sent on HTTPS connections (preventing eavesdropping), and it won't be readable from javascript, so that malicious code injected int he client can't access it.

@pbonito
Copy link
Author

pbonito commented Nov 18, 2024

Yes, it was a manual thing, but we agreed with security team that there was not a valid solution to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants