Page MenuHomePhabricator

CentralAuth Session Fixation
Closed, ResolvedPublic


CentralAuth is vulnerable to Session Fixation attacks [0]. It uses the existing session id from a browsers cookie when setting up the CentralAuth session, without resetting the value.

[0] -

If an attacker can set a cookie with the name 'centralauth_Session' with a known value on a victims browser and the victim later logs in, the attacker can impersonate the victim by using the CentralAuth session id with the chosen value.

Version: unspecified
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:13 AM
bzimport set Reference to bz40962.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Oct 11 2012, 4:04 PM

Using CVE-2012-5395 to track this

Created attachment 11353
Generate new Session ID for CentralAuth on login


The patch looks good.

Merged gerrit 36094 links here, bug maybe resolved

Restricted Application added subscribers: StudiesWorld, Luke081515. · View Herald TranscriptJan 28 2016, 6:13 PM