back to website

Werk #14482: Use proper HMAC for cookie signing

Component Setup
Title Use proper HMAC for cookie signing
Date Aug 2, 2022
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Previously to this Werk the Session cookies were signed with with calculating a SHA256 hash over username, session id, a serial plus a secret. This could in theory lead to a "partial message collision".

Since we parse the data given in the cookie and test for validity, we are confident that such an attack is not possible. But to be future-proof we switch to proper HMAC for signing the cookie value. This will invalidate all session cookies for a site. Therefore all users have to reauthenticate to retrieve new valid cookies.

To the list of all Werks

The Checkmk logo (formerly known as Check_MK) is a trademark of Checkmk GmbH. ©2025 Checkmk GmbH. All rights reserved.

Join our Checkmk Conference #12 – the hybrid Monitoring Community event in Munich, on June 16-18 – to explore new Checkmk features, best practices, and our roadmap.

Register now