@mattab opened this Issue on October 27th 2014 Owner

The goal of this issue is to implement a more secure auth cookie mechanism.

This issue was reported by email to Piwik security team by Sandeep Venkatesan.

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier, gives an attacker the opportunity to steal authenticated sessions.

1)login to the piwik
2)copy the cookie
3)logout from piwik
4)add cookie and its value in cookie editor
5)Reload the page
6)then the session valids.

i)when the attacker capture the cookies he/she may access the account .
ii)But even the victim logout .
iii)The attackers session remains same.
iv)The attacker further use the victims session.

Steps

  • make sure any existing session of user are not working after a successful change of password
  • maybe we also need a way to "Invalidate all current sessions" on other computers
  • Other?
Powered by GitHub Issue Mirror