Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-4216

Stash does not invalidate session upon login

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Won't Fix
    • None
    • Security - Other
    • None
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Stash does not invalidate session upon login. To reproduce, make sure you're logged out, delete the JSESSIONID cookie and open a page in Stash (not logged in) that creates a session (e.g. home link). A new JSESSIONID cookie will be generated and it will not change upon login, which allows for session fixation attacks. Confirmed that re-using the cookie value in another browser results in using the same session - and user account.

      Worth noting that Stash does not accept (to the best of my knowledge) any way of providing session ID other than the cookie, so this is not easily exploitable. Nevertheless it is against good practices to keep the same session after login.

      Attachments

        Activity

          People

            Unassigned Unassigned
            felix.he.mms Felix Herzog
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: