Session Fixation vulnerability in RedisStorage #272
Description
There is a window of opportunity for Session Fixation exploitation in the logic of RedisStorage.
As seen here: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/__init__.py#L190
Get session data returns an empty dictionary for an empty (this includes invalidated) session.
Referring here: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L60
save_session takes this data and saves it in Redis.
As a result, an invalidated session will result to the session ID being present in Redis with an empty mapping as its value.
Now looking over at: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L50
RedisStorage's load_session only looks at the case where data (returned by reading from Redis) is None. This will happen only if the key (session ID) is not present in Redis (has either expired or was never inserted) but as we established above the key is never actually removed, just the value mapping emptied. As a result the load_session function will return a session with the presented session ID and not a new one, although there was no valid session in storage for this ID.
If this is not caught and mitigated by the web app the following scenario can unfold:
- Attacker acquires a valid cookie
- Invalidates it (logs out)
- Attacker injects said cookie in victim's browser (see OWASP's link above for examples on how)
- Victim visits web app presenting the cookie present in his browser
- Web app uses the get_session to get a session object for the user, expecting a 'clean' session
- get_session returns a session with the session ID that was present in the cookie presented by the user
- session is populated by the web app and subsequently stored by aiohttp-session during the response
- User is now logged in with the session ID of the cookie that was injected by the attacker
- The attacker now controls (knows) a session cookie for a given user