Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalidate session cookies when changing the private code #857

Open
zorun opened this issue Oct 13, 2021 · 2 comments
Open

Invalidate session cookies when changing the private code #857

zorun opened this issue Oct 13, 2021 · 2 comments
Labels
help wanted security

Comments

@zorun
Copy link
Collaborator

zorun commented Oct 13, 2021

Since recently, changing the private code is a way to remove access to previous members: it prevents people from logging with the old private code (obviously) but also with the old token (e.g. in invitation links).

However, if a previous member still has a valid cookie, he/she may still be able to login anyway. We should check if it works, and if yes, fix this issue.
@almet
Copy link
Member

almet commented Oct 17, 2021

Interesting :-)

I confirm that this is a problem : changing the project code doesn't invalidate the cookies. One way to mitigate this would be to include something derived from the project code in the cookie, and checking against it when checking the cookie.

@zorun zorun changed the title Check that changing the private code invalidates cookies Invalidate session cookies when changing the private code Jul 28, 2023
@zorun
Copy link
Collaborator Author

zorun commented Jul 28, 2023

While reviewing our security doc, I got reminded of this. Indeed, it's a problem!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@almet @zorun