search

gorilla / sessions

Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.
https://gorilla.github.io
BSD 3-Clause "New" or "Revised" License
2.93k stars 371 forks source link

[BUG] Insufficient Session Expiration #282

Closed ramvisa closed 2 months ago

ramvisa commented 2 months ago

Is there an existing issue for this?

Current Behavior

sonatype-2021-4899 The gorilla/sessions package is vulnerable due to Insufficient Session Expiration. The library allows for the creation of session cookies with the NewCookieStore() function in store.go. However, there is no mechanism available for invalidating user sessions once they have been created in this way. The documentation instructs users to set the MaxAge attribute of a cookie to -1 using the MaxAge() function in order to invalidate the session associated with it. However, this does not invalidate the users session on the server. A malicious user who is able to retrieve the value of a users' session cookie through a Cross-Site Scripting (XSS) attack, a Man-in-the-Middle (MitM) attack, or by some other means, will be able to use that session cookie to impersonate the user even after that user has logged out.

Expected Behavior

Invalidate the user session on the server

Steps To Reproduce

No response

Anything else?

No response

jaitaiwan commented 2 months ago

Up to the implementer on how the close or not the session on the server. Next time use the correct security channel for reporting vulnerabilities.