Security Problem with Session Cookie

itSDS · 2025-03-11 20:05:31

Hi Arnaud, a Pentester has tested our mvc Server !

He found this vulnerability:

He saved the Session Cookie on client Site. Logged out frrom Server (On Server CurrentSession.Finalize is called and client Cookie Removed)
But after this he used the saved Cookie to call MVC - Pages.
The Cookie is still valid.

Do you know a simple way to invalidate such cookies ?

We Create Session Cookies after Login-Funktion with CurrentSession.Initialize and check it with CurrentSession.CheckAndRetrieve

Thank you

ab · 2025-03-12 10:55:33

I am looking into this.

We indeed need to maintain a list of valid session IDs for such cases.

Do you set an invalidation timeout?

itSDS · 2025-03-12 18:17:42

Yes Timeout is set to 240min

ab · 2025-03-14 21:09:53

Please try with tonight's code.

It should keep track of the finalized sessions, and reject them.
I also switched the cookie signature and encryption to AES-GCM-128 which is both very fast and cryptographically secure.
As far as I can tell, there is no advantage of using a JWT in respect to our TBinaryCookieGenerator now.

itSDS · 2025-03-19 09:38:13

Hi Arnaud i testet it today an it seems to be secure now, could not use deletet Cookie any more.

itSDS · 2025-03-19 09:45:06

There was one thing, happened to me
I changed CookieName to "DIT Test" and later got error in Reverse Proxy:

  Description
  This violation occurs when HTTP cookies contain at least one of the following components:
  - Quotation marks in the cookie name.
  - A space in the cookie name.
  - An equal sign (=) in the cookie name.
  Note: A space between the cookie name and the equal sign (=), and between the equal sign (=) and cookie value is allowed.
  - An equal sign (=) before the cookie name.
  - A carriage return (hexadecimal value of 0xd) in the cookie name.

may be there should be a Check-Routine in SetCookieName throwing Exception if name does not match the rules für Cookie Names

ab · 2025-03-19 15:25:18

Should be OK with
https://github.com/synopse/mORMot2/commit/ef7be269c

itSDS · 2025-04-16 09:11:50

ab wrote:

Please try with tonight's code.
It should keep track of the finalized sessions, and reject them.
I also switched the cookie signature and encryption to AES-GCM-128 which is both very fast and cryptographically secure.
As far as I can tell, there is no advantage of using a JWT in respect to our TBinaryCookieGenerator now.

Hi Arnaud, sorry i testet wrong. The Problem was not solved correctly.
I didn't provide function for fApplication.OnSessionFinalized so invalidate was not called.

But if i provide function there is an Stack Overflow generated because finalize is called recursive.

itSDS · 2025-04-16 10:02:51

Hi As BUGFix i commented the Lines 1539-1541 in mormot.rest.mvc

  result := fContext.Validate(
    cookie, PRecordData, PRecordTypeInfo, PExpires, nil, Invalidate);
//  if result <= 0 then
//    // delete any invalid/expired cookie on server side
//    Finalize;
end;

ab · 2025-04-16 11:58:58

Perhaps
https://github.com/synopse/mORMot2/commit/76a66507b
should be enough.

itSDS · 2025-04-16 12:38:54

TY looks good !

mORMot Open Source

#1 2025-03-11 20:05:31

Security Problem with Session Cookie

#2 2025-03-12 10:55:33

Re: Security Problem with Session Cookie

#3 2025-03-12 18:17:42

Re: Security Problem with Session Cookie

#4 2025-03-14 21:09:53

Re: Security Problem with Session Cookie

#5 2025-03-19 09:38:13

Re: Security Problem with Session Cookie

#6 2025-03-19 09:45:06

Re: Security Problem with Session Cookie

#7 2025-03-19 15:25:18

Re: Security Problem with Session Cookie

#8 2025-04-16 09:11:50

Re: Security Problem with Session Cookie

#9 2025-04-16 10:02:51

Re: Security Problem with Session Cookie

#10 2025-04-16 11:58:58

Re: Security Problem with Session Cookie

#11 2025-04-16 12:38:54

Re: Security Problem with Session Cookie

Board footer