Session key reuse creates minor security flaw.
|Reported by:||jb0t||Owned by:||mtredinnick|
|Severity:||Keywords:||session, session key, duplicate|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||yes||Patch needs improvement:||no|
When you store data in a user session, then logout and login (or simply just login again) you end up reusing the existing session key saved in the browser cookie. This exposes any user who can authenticate to session data that does not belong to them. Public terminal scenario would be most likely cause for concern.
Change History (19)
comment:1 Changed 8 years ago by axiak
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
Changed 8 years ago by axiak
comment:2 Changed 8 years ago by axiak
- Has patch set
- Needs tests set
- Triage Stage changed from Unreviewed to Accepted
comment:3 Changed 8 years ago by jacob
- Summary changed from Session key reuse creates security flaw. to Session key reuse creates minor security flaw.
comment:14 Changed 8 years ago by mtredinnick
- Resolution set to fixed
- Status changed from new to closed