Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session not invalidated after logout #6531

Closed
mattab opened this issue Oct 27, 2014 · 0 comments
Closed

Session not invalidated after logout #6531

mattab opened this issue Oct 27, 2014 · 0 comments
Assignees
@diosmosis
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
3.6.0

Comments

@mattab
Copy link
Member

mattab commented Oct 27, 2014
edited

The goal of this issue is to implement a more secure auth cookie mechanism.

This issue was reported by email to Piwik security team by Sandeep Venkatesan.

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier, gives an attacker the opportunity to steal authenticated sessions.

1)login to the piwik
2)copy the cookie
3)logout from piwik
4)add cookie and its value in cookie editor
5)Reload the page
6)then the session valids.

i)when the attacker capture the cookies he/she may access the account .
ii)But even the victim logout .
iii)The attackers session remains same.
iv)The attacker further use the victims session.

Steps

  • make sure any existing session of user are not working after a successful change of password
  • maybe we also need a way to "Invalidate all current sessions" on other computers
  • Other?
@mattab mattab added Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Oct 27, 2014
@mattab mattab added this to the Mid term milestone Oct 27, 2014
@mattab mattab mentioned this issue Oct 27, 2014
Closed
@mattab mattab mentioned this issue May 23, 2016
Closed
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@diosmosis diosmosis self-assigned this Sep 2, 2017
@diosmosis diosmosis mentioned this issue Oct 11, 2017
Closed
@diosmosis diosmosis mentioned this issue Oct 18, 2017
Merged
1 task
@mattab mattab modified the milestones: 3.5.0, 3.4.0 Mar 19, 2018
@mattab mattab modified the milestones: 3.6.0, 3.5.0 Apr 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@diosmosis diosmosis

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
3.6.0
Development

No branches or pull requests
2 participants
@diosmosis @mattab