Details
-
Suggestion
-
Resolution: Won't Fix
-
None
-
None
Description
Stash does not invalidate session upon login. To reproduce, make sure you're logged out, delete the JSESSIONID cookie and open a page in Stash (not logged in) that creates a session (e.g. home link). A new JSESSIONID cookie will be generated and it will not change upon login, which allows for session fixation attacks. Confirmed that re-using the cookie value in another browser results in using the same session - and user account.
Worth noting that Stash does not accept (to the best of my knowledge) any way of providing session ID other than the cookie, so this is not easily exploitable. Nevertheless it is against good practices to keep the same session after login.