Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-4216

Stash does not invalidate session upon login

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Won't Fix
    • None
    • Security - Other
    • None
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Stash does not invalidate session upon login. To reproduce, make sure you're logged out, delete the JSESSIONID cookie and open a page in Stash (not logged in) that creates a session (e.g. home link). A new JSESSIONID cookie will be generated and it will not change upon login, which allows for session fixation attacks. Confirmed that re-using the cookie value in another browser results in using the same session - and user account.

      Worth noting that Stash does not accept (to the best of my knowledge) any way of providing session ID other than the cookie, so this is not easily exploitable. Nevertheless it is against good practices to keep the same session after login.

              Unassigned Unassigned
              felix.he.mms Felix Herzog
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: