Werk #14482: Use proper HMAC for cookie signing

Component Setup
Title Use proper HMAC for cookie signing
Date Aug 2, 2022
Checkmk Editon Checkmk Raw (CRE)
Checkmk Version 2.2.0i1
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required

Previously to this Werk the Session cookies were signed with with calculating a SHA256 hash over username, session id, a serial plus a secret. This could in theory lead to a "partial message collision".

Since we parse the data given in the cookie and test for validity, we are confident that such an attack is not possible. But to be future-proof we switch to proper HMAC for signing the cookie value. This will invalidate all session cookies for a site. Therefore all users have to reauthenticate to retrieve new valid cookies.

To the list of all Werks