Werk #14482: Use proper HMAC for cookie signing
| Komponente | Setup |
| Titel | Use proper HMAC for cookie signing |
| Datum | 02.08.2022 |
| Checkmk-Edition | Checkmk Raw (CRE) |
| Checkmk-Version | 2.2.0b1 |
| Level | Kleine Änderung |
| Klasse | Sicherheitsfix |
| Kompatibilität | Inkompatibel - Manuelle Interaktion könnte erforderlich sein |
Previously to this Werk the Session cookies were signed with with calculating a SHA256 hash over username, session id, a serial plus a secret. This could in theory lead to a "partial message collision".
Since we parse the data given in the cookie and test for validity, we are confident that such an attack is not possible. But to be future-proof we switch to proper HMAC for signing the cookie value. This will invalidate all session cookies for a site. Therefore all users have to reauthenticate to retrieve new valid cookies.