Security issue: session shared with ALL users #27
Labels
bug
Something isn't working
Comments
hakwerk
added a commit
that referenced
this issue
Nov 3, 2021
* release/21.11: Stop sharing admin session with ALL users (#27)
hakwerk
added a commit
that referenced
this issue
Dec 8, 2021
On the very first run, the authorization and encryption keys are generated as []byte but they should be stored base64 encoded so they match the value as loaded in consecutive runs
hakwerk
added a commit
that referenced
this issue
Dec 8, 2021
* release/21.12: Bump boulder version to release-2021-12-06 Downgrade some errors to warnings on dashboard Fix cert-checker for whitelist/lockdown domains Make initial setup process a bit more clear Add comment to hostname-policy.yaml for whitelist/lockdown section Disable redis containers (#29) Enable more than one local domain to issue certificates for (#24) Encode freshly generated keys to base64 (#27)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As soon as the admin user is logged in, all other sessions (from any other browser/device) can access the admin pages!
It was found that no Set-Cookie headers were sent to the browser but the error message of the session.Save() were not shown. The root cause turned out to be using the base64 encoded authorization and encryption keys for the session store, instead of the decoded binary keys.
The text was updated successfully, but these errors were encountered: