[OPENMEETINGS-1399] OpenMeetings is vulnerable to session fixation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.1.1
Fix Version/s: 3.1.2, 3.2.0, 4.0.0
Component/s: Builds, UI
Labels:
None
Environment:
Ubuntu 14.04.4
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)

Description

The cookie JSESSIONID is issued before login, and is not changed on successful login. Therefore, an attacker can know this cookie and use it after a valid user authenticated it. This holds especially for shared workstations.

Attachments

Activity

People

Assignee:: Maxim Solodovnik

Reporter:: Michal S

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 11/May/16 12:07

Updated:: 13/Jul/16 06:12

Resolved:: 12/May/16 03:23