sessiondrupaldrupal-8session-hijacking

Is there a way to check the authenticity of the user, after changing the Session Cookie?


Steps to re-create the issue:

How to solve this issue? Any suggestions would be of great help.

Tried using the event subscriber to get the previous session before drupal loads the cookie session, but no luck with it.


Solution

  • This is not a problem, I mean, of course, Session Hijacking is a really big concern - but standard defences are fine.

    These are the controls that I know are widely known/used:

    All of Drupal 8's cookies are secure by default.

    The exception is BigPipe's no-JS cookie, see https://www.drupal.org/node/2678628 — but there are no security consequences there.


    I know some very sensitive applications may also store - for each session - the following additional information:

    In my point of view, I wouldn't bother with checking the HTTP User Agent or the remote IP address. They don't add that much security and they will break legitimate use in certain scenarios. Checking the SSL session ID (SSL session binding) would be OK from a security perspective, but could be painful to implement, the other defences are fine.


    If your concern is Cookie Theft via XSS, the best defence is to use standard methods to avoid XSS bugs in your web application. See OWASP for plenty excellent resources.


    You may find a lot of best practices to write secure code for Drupal 8 here: https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8

    You may also find a pretty old discussion about this on Drupal here: https://www.drupal.org/project/drupal/issues/19845