Malicious users can impersonate other users

pombreda / appscale

Automatically exported from code.google.com/p/appscale

0 stars 0 forks source link

Malicious users can impersonate other users #120

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

If a user is able to see a logged in user's cookie (passed unencrypted
between the user and the AppServer), they can then create the same cookie
on their own box and impersonate that user even after the user is logged out.

Need to hash in the logged in user's IP address to prevent remote user
impersonations. This solution will not prevent malicious users with the
same IP address as the victim user, however.

Original issue reported on code.google.com by shattere...@gmail.com on 23 Nov 2009 at 7:00

GoogleCodeExporter commented 9 years ago

Delayed to next release, but still a potential security problem.

Original comment by shattere...@gmail.com on 7 Dec 2009 at 8:51

Added labels: Priority-High
Removed labels: Priority-Critical

GoogleCodeExporter commented 9 years ago

Added Yiming to this issue since this also impacts the Java AppServer. Will 
discuss
this after performance numbers are generated.

Original comment by shattere...@gmail.com on 7 Jan 2010 at 7:44

Changed state: Accepted

GoogleCodeExporter commented 9 years ago

Original comment by nlak...@gmail.com on 28 Mar 2011 at 10:32

Changed state: Fixed