We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Werk #11499: Improve login session security

TitleImprove login session security
Date2020-10-02 09:31:29
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version2.0.0i1
LevelTrivial Change
ClassSecurity Fix
CompatibilityCompatible - no manual interaction needed

In previous Checkmk versions the login sessions were not tracked on the Checkmk server side. This means that a logout in the GUI was a pure client action destroying the authentication cookie. When the cookie was stored and reused later, the user was able to access the GUI again with that old login session which was logged out.

This change extends the authentication cookie with a session ID which has to be known on the Checkmk server to result in a successful login. Once a login session is logging out from the GUI, the session is invalidated on the Checkmk server. If a client tries to access the GUI with an invalidated authentication cookie, the login will be rejected from now.

Please note that we have added some limitations with this change:

  • Per user we can now have up to 20 parallel login sessions. Once a user account reaches the 21st sessions, the session with the longest inactivity will be invalidated.
  • Existing sessions with an inactivity of more than 7 days will be invalidated.

The change of the authentication cookie requires all users to login again to the GUI after updating to Checkmk 2.0, because the cookie format is now incompatible with the authentication cookies issued by previous Checkmk versions.

We use the incompatibility to switch the authentication cookie hashing algorithm from to sha256. The previous md5 at this point was not a security problem, but it can be considered bad practice.