Affiliates - Session Fixation

SEVERITY: Medium LOCATION: ● https://affiliates.kromtech.com ISSUE DESCRIPTION: User can use the same session token after logout. Attacker can repeat request with token that should be marked as invalidated. PROOF OF VULNERABILITY: Request made after Logout with the same cookie value. curl -i -s -k -X $'GET' \ -H $'Host: affiliates.kromtech.com' -H $'Cookie: sid=91iqik6qtblp0vsu9b5j7fgal0;' \ -b $'sid=91iqik6qtblp0vsu9b5j7fgal0' \ $'https://affiliates.kromtech.com/account' RECOMMENDATIONS: The logout function should be prominently visible to the user, explicitly invalidate a user’s session and disallow reuse of the session token. Server should provide new session id to user browser after logout. ## Impact A remote attacker can gain access to victim’s session and perform arbitrary actions with privileges of the user within the compromised session.