Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-4216

Stash does not invalidate session upon login

    XMLWordPrintable

    Details

    • Type: Suggestion
    • Status: Resolved (View Workflow)
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security - Other
    • Labels:
      None
    • Feedback Policy:
      We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see An updated workflow for server feature suggestions.

      Description

      Stash does not invalidate session upon login. To reproduce, make sure you're logged out, delete the JSESSIONID cookie and open a page in Stash (not logged in) that creates a session (e.g. home link). A new JSESSIONID cookie will be generated and it will not change upon login, which allows for session fixation attacks. Confirmed that re-using the cookie value in another browser results in using the same session - and user account.

      Worth noting that Stash does not accept (to the best of my knowledge) any way of providing session ID other than the cookie, so this is not easily exploitable. Nevertheless it is against good practices to keep the same session after login.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              felix.he.mms Felix Herzog
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: