Pages: 1

#1 2025-03-11 20:05:31

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 544

Security Problem with Session Cookie

Hi Arnaud, a Pentester has tested our mvc Server !

He found this vulnerability:

He saved the Session Cookie on client Site. Logged out frrom Server (On Server CurrentSession.Finalize is called and client Cookie Removed)
But after this he used the saved Cookie to call MVC - Pages.
The Cookie is still valid.

Do you know a simple way to invalidate such cookies ?

We Create Session Cookies after Login-Funktion with CurrentSession.Initialize and check it with CurrentSession.CheckAndRetrieve

Thank you

Rad Studio 12.3 Athens

Offline

#2 2025-03-12 10:55:33

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,926
Website

Re: Security Problem with Session Cookie

I am looking into this.

We indeed need to maintain a list of valid session IDs for such cases.

Do you set an invalidation timeout?

Offline

#3 2025-03-12 18:17:42

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 544

Re: Security Problem with Session Cookie

Yes Timeout is set to 240min

Rad Studio 12.3 Athens

Offline

#4 2025-03-14 21:09:53

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,926
Website

Re: Security Problem with Session Cookie

Please try with tonight's code.

It should keep track of the finalized sessions, and reject them.
I also switched the cookie signature and encryption to AES-GCM-128 which is both very fast and cryptographically secure.
As far as I can tell, there is no advantage of using a JWT in respect to our TBinaryCookieGenerator now.

Offline

#5 2025-03-19 09:38:13

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 544

Re: Security Problem with Session Cookie

Hi Arnaud i testet it today an it seems to be secure now, could not use deletet Cookie any more.

Rad Studio 12.3 Athens

Offline

#6 2025-03-19 09:45:06

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 544

Re: Security Problem with Session Cookie

There was one thing, happened to me smile
I changed CookieName to "DIT Test" and later got error in Reverse Proxy:

  Description
  This violation occurs when HTTP cookies contain at least one of the following components:
  - Quotation marks in the cookie name.
  - A space in the cookie name.
  - An equal sign (=) in the cookie name.
  Note: A space between the cookie name and the equal sign (=), and between the equal sign (=) and cookie value is allowed.
  - An equal sign (=) before the cookie name.
  - A carriage return (hexadecimal value of 0xd) in the cookie name.

may be there should be a Check-Routine in SetCookieName throwing Exception if name does not match the rules für Cookie Names smile

Rad Studio 12.3 Athens

Offline

#7 2025-03-19 15:25:18

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,926
Website

Re: Security Problem with Session Cookie

Should be OK with
https://github.com/synopse/mORMot2/commit/ef7be269c

Offline

Pages: 1

Board footer

Powered by FluxBB