ucreate.it's avatar

Penetration Test - laravel_session cookie termination

I am using laravel 5.3 , with one of the website created recently , the client demanded for the penetration test , I have a query on the question asked by one of the security expert while penetration test , can anyone help me in resolving this , here are the comments of expert:

"After logging out, the previous session, identified by the laravel_session cookie, is not terminated. This allows an attacker to re-use the cookie and issue requests to the application, despite the fact that the user has clicked 'sign out'.

To securely implement log out the application should not just reset the cookie but also invalidate the internal session state tracked by the session cookie - so that any previously issued cookies to the user become invalid.

Sessions are not destroyed upon log out of the user. This allows re-use of the session cookie to continue accessing and using the application despite the user having requested logout."

And this is what expert tried to find out the above issue :

  1. I logged into the site and get laravel_session cookie.
  2. I can access the the website
  3. then I clicked log out.
  4. I create a new request using the laravel_session cookie I had previously received from which I just logged out and send the request. I gain access to website from which I had logged out and should not have access any more until I login again...

Thanks

0 likes
1 reply
neilherbertuk's avatar

Hi ucreate.it,

Assuming you are using Laravel's built in authentication; Potential security vulnerabilities really should not be discussed in the public domain in the first instance.

As per Laravel's Documentation

If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell at [email protected]. All security vulnerabilities will be promptly addressed.

Immediate course of action would be to ensure you are using the latest version of Laravel 5.3 by using composer update (done so at your own risk!) Keep in mind that Laravel 5.3 no longer receives bug fixes, and depending on how you read the release cycle, might no longer be receiving security fixes either. Consider upgrading to the latest major version of Laravel which is currently 5.5.

Neil

Please or to participate in this conversation.