Level 51
Why do you think it's an issue?
That's how "remember me" works. You store a cookie in the browser and then check against it if the session is expired.
What is the vulnerability in this?
Feb 23, 2022
7
Level 1
Logged out Laravel 8.x session cookie can be re-used to login
My app is built on Laravel 8.x and deployed via Vapor and uses Redis as session driver.
I noticed this odd behaviour, where if you login to the app & copy the cookie, then logout and import the cookie and refresh the page, you are logged back in. Logged out session did not get invalidated.
Here are the steps to re-produce:
- Install the Cookie-Editor plugin in chrome
- Login to the app
- Use the cookie-editor plugin and export the cookie
- Logout of the app
- Use cookie-editor plugin to import the exported cookie and refresh the page, you are now logged in
I followed the instructions on https://laravel.com/docs/8.x/authentication#logging-out to implement the logout functionality, but this doesn't seem to be working?
Auth::logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
I am not able to re-produce this with the app running locally in Apache + PHP, this behaviour is only observed on my vapor deployed instance?
Any idea what the issue might be? How do you properly logout, so that cookie from previous session can't be used again?
Level 1
@MohamedTammam This behaviour is observed when remember me was turned off also. I even wrote a bit of custom logic to update the remember_token to random string during logout, that didn't help either.
Why this is bad? Well, if I steal someone's logged in cookie, I can login as that user without their credentials - seems like a pretty bad flaw.
Level 51
@latheesan Is there a website that doesn't have that behavior?
If you steal someone's cookies, tokens, passwords etc, you can login as them, right?
Level 122
@MohamedTammam Shouldn't be possible to re identify with a session that has been invalidated
@latheesan are you sure that the session is Redis and not cookie?
2 likes
Level 1
@MohamedTammam Yes, I agree but surely when you logout and explicitly tell the framework to invalidate the session and regenerate the token; you'd expect the stolen cookie can't be re-used right?
Level 1
@Snapey The session driver is redis, which is why im more confused why stealing the cookie can let you login, even after you you told the framework to forget everything. Is there a disconnect between the user action and what's the redis session driver is doing?
Level 1
Given that I am using redis session driver, what is the correct way to invalidate the logged in session, when logging out?
Please or to participate in this conversation.