Content
View differences
Updated by Niels Lindenthal about 12 years ago
The current implementation of session lifetime allows users without information about their last activity in the session cookie to access OpenProject. This can happen when session lifetime was previously disabled. The session lifetime is only set in the cookie returned on the response of the first request after enabling session lifetime.
Attack Scenario:
1. Session Lifetime disabled
2. Victim logs in, gets sesssion cookie without time
3. Attacker steals session cookie
4. Admin enables session lifetime
5. Attacker uses old session cookie to access application indefinetely
The session cookie doesn’t contain information about the last activity, so the session never times out. The attacker just has to ignore the Set-Cookie directive in each response from OpenProject and reuse the old cookie for each request.
Attack Scenario:
1. Session Lifetime disabled
2. Victim logs in, gets sesssion cookie without time
3. Attacker steals session cookie
4. Admin enables session lifetime
5. Attacker uses old session cookie to access application indefinetely
The session cookie doesn’t contain information about the last activity, so the session never times out. The attacker just has to ignore the Set-Cookie directive in each response from OpenProject and reuse the old cookie for each request.