Session hijacking attack

[pbonito]

Hi team,
we found a problem related to session cookie generated by authservice (__Host-AIS_session).

• Login with 2 different account (UserA,UserB) from 2 different browser
• Replace the cookie value of UserB with one from UserA
• Refresh browser of UserB
• Active session is transferred from UserA to UserB

How we can avoid this? Is there a way to tie __Host-AIS_session to browser cookie?

Thanks in advance for your help

[nacx]

I'm not fully understanding the problem:

Replace the cookie value of UserB with one from UserA

What do you mean by this, exactly? Is that replacement a manual thing a user would do?

The session cookie is configured with the HttpOnly and Secure flags. This means the cookie is only sent on HTTPS connections (preventing eavesdropping), and it won't be readable from javascript, so that malicious code injected int he client can't access it.

[pbonito]

Yes, it was a manual thing, but we agreed with security team that there was not a valid solution to this issue.