Session hijacking attack

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh

Apache License 2.0

220 stars 62 forks source link

Session hijacking attack #262

Open pbonito opened 3 months ago

pbonito commented 3 months ago

Hi team, we found a problem related to session cookie generated by authservice (__Host-AIS_session).

Login with 2 different account (UserA,UserB) from 2 different browser
Replace the cookie value of UserB with one from UserA
Refresh browser of UserB
Active session is transferred from UserA to UserB

How we can avoid this? Is there a way to tie __Host-AIS_session to browser cookie?

Thanks in advance for your help

nacx commented 1 month ago

I'm not fully understanding the problem:

Replace the cookie value of UserB with one from UserA

What do you mean by this, exactly? Is that replacement a manual thing a user would do?

The session cookie is configured with the HttpOnly and Secure flags. This means the cookie is only sent on HTTPS connections (preventing eavesdropping), and it won't be readable from javascript, so that malicious code injected int he client can't access it.

pbonito commented 1 week ago

Yes, it was a manual thing, but we agreed with security team that there was not a valid solution to this issue.