GHT2-010 --- Insecure Session Management
4.10 GHT2-010 --- Insecure Session Management
Vulnerability ID: GHT2-010
Retest status:
Vulnerability type: Insecure Session Management
Threat level: Moderate
Description: {#description-9 .title-findingsection}
The application's sessions have a long expiration time and remain active after users close the application.
Technical description: {#technical-description-9 .title-findingsection}
The following cookie is used for Session Management:
Set-Cookie: sessionid=1|cjk0rf83tyqslhcl2rno4y2ae3is28pl|t0qHYRvJKgDi|IjgzNTAxYTVkZWEwN2ZmMzIzZjJkZDBhNjMzMGQwMzlkZTVkZmE4M2YyNDIzY2IwOTlhMzkyYWZjYmJjNGY2NDgi:1mfVnm:w
7EVmS77rnrmdasPEk89O_UdTU0; Domain=.learn.staging.totem-project.org; expires=Tue, 23 Nov 2021 23:24:18 GMT; HttpOnly; Max-Age=2419200; Path=/; SameSite=None; Secure
The sessionid
cookie is used in the Learn and Studio environments and the following issues were found:
- Valid for 30 days.
- The session remains active after a user closes or terminates the application. Note that the session is not invalidated when users click the logout button.
Impact: {#impact-9 .title-findingsection}
- An adversary that gains access to a valid cookie is able to access the functionality available to the user of that session. This attack or exposure can be more damaging and practical if shared or public computers are used.
Recommendation: {#recommendation-9 .title-findingsection}
- Set the maximum session time to no longer than a working day (e.g. 8 - 10 hours).
- Session expiration mechanisms should be employed to ensure that user sessions are effectively ended and become unusable once the user stops using the application (either by closing it or through inactivity).