@mattab opened this Issue on October 27th 2014 Member

The goal of this issue is to implement a more secure auth cookie mechanism.

This issue was reported by email to Piwik security team by Sandeep Venkatesan.


Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier, gives an attacker the opportunity to steal authenticated sessions.

1)login to the piwik
2)copy the cookie
3)logout from piwik
4)add cookie and its value in cookie editor
5)Reload the page
6)then the session valids.

i)when the attacker capture the cookies he/she may access the account .
ii)But even the victim logout .
iii)The attackers session remains same.
iv)The attacker further use the victims session.


  • make sure any existing session of user are not working after a successful change of password
  • maybe we also need a way to "Invalidate all current sessions" on other computers
  • Other?
This Issue was closed on July 26th 2018
Powered by GitHub Issue Mirror