Session key reuse creates minor security flaw.
|Reported by:||Jay Hargis||Owned by:||Malcolm Tredinnick|
|Severity:||Keywords:||session, session key, duplicate|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||yes||Patch needs improvement:||no|
When you store data in a user session, then logout and login (or simply just login again) you end up reusing the existing session key saved in the browser cookie. This exposes any user who can authenticate to session data that does not belong to them. Public terminal scenario would be most likely cause for concern.
Change History (19)
comment:1 Changed 9 years ago by
|Patch needs improvement:||unset|
comment:2 Changed 9 years ago by
|Triage Stage:||Unreviewed → Accepted|
comment:3 Changed 8 years ago by
|Summary:||Session key reuse creates security flaw. → Session key reuse creates minor security flaw.|