Download

Werk #14482: Use proper HMAC for cookie signing

Komponente Setup
Titel Use proper HMAC for cookie signing
Datum 02.08.2022
Checkmk Edition Checkmk Raw (CRE)
Checkmk-Version 2.2.0b1
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Inkompatibel - Manuelle Interaktion könnte erforderlich sein

Previously to this Werk the Session cookies were signed with with calculating a SHA256 hash over username, session id, a serial plus a secret. This could in theory lead to a "partial message collision".

Since we parse the data given in the cookie and test for validity, we are confident that such an attack is not possible. But to be future-proof we switch to proper HMAC for signing the cookie value. This will invalidate all session cookies for a site. Therefore all users have to reauthenticate to retrieve new valid cookies.

Zur Liste aller Werks

Überzeugen Sie sich selbst

Testen Sie Checkmk jetzt.

Raw Edition herunterladen Kostenloses Open-Source-Monitoring
Play with Checkmk Checkmk ohne Installation ausprobieren
checkmk_conference_10.png

Das Highlight des Jahres: Vom 11. - 13. Juni 2024 kommt die Checkmk Community in München zusammen.

Register now