Session not invalidated after logout #6531
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Task
Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
The goal of this issue is to implement a more secure auth cookie mechanism.
This issue was reported by email to Piwik security team by Sandeep Venkatesan.
Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier, gives an attacker the opportunity to steal authenticated sessions.
1)login to the piwik
2)copy the cookie
3)logout from piwik
4)add cookie and its value in cookie editor
5)Reload the page
6)then the session valids.
i)when the attacker capture the cookies he/she may access the account .
ii)But even the victim logout .
iii)The attackers session remains same.
iv)The attacker further use the victims session.
Steps
The text was updated successfully, but these errors were encountered: