[BUG] Insufficient Session Expiration #282
Labels
Comments
|
Up to the implementer on how the close or not the session on the server. Next time use the correct security channel for reporting vulnerabilities. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Current Behavior
sonatype-2021-4899 The gorilla/sessions package is vulnerable due to Insufficient Session Expiration. The library allows for the creation of session cookies with the NewCookieStore() function in store.go. However, there is no mechanism available for invalidating user sessions once they have been created in this way. The documentation instructs users to set the MaxAge attribute of a cookie to -1 using the MaxAge() function in order to invalidate the session associated with it. However, this does not invalidate the users session on the server. A malicious user who is able to retrieve the value of a users' session cookie through a Cross-Site Scripting (XSS) attack, a Man-in-the-Middle (MitM) attack, or by some other means, will be able to use that session cookie to impersonate the user even after that user has logged out.
Expected Behavior
Invalidate the user session on the server
Steps To Reproduce
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: