Are You able to Hijack Your Session?

Hi Everyone;

I hope it’s just on my installation but, I installed 2 InvoicePlane under /var/www/html/ using different directories, mysql, users and password for differents business.

My point is if i’m logged into invoiceplane-a, i’m able to jump into invoiceplane-b with the same user

invoice-a : where I’m authentified

invoice-b : where I consider InvoicePlane should ask me a password before showing me this page

Aparently you can as long is in the same server

Without knowing further technical details I assume one thing here:

The cookie placed by IP named ‘ci_session’ works, like all cookies, within the domain. So, if only the path after the TLD changes, the cookie can be read and therefore authentication information can be exchanged between the client and the script.

I suggest that using different usernames (or email addresses) may solve the problem, but perhaps may cause more, like having to log in every single time the other installation was opened once.

Yes, this problem was already reported by a user and will be solved with a completely overhauled session management in InvoicePlane 2.

1 Like

+1 @opsecisland yeah of course i’m on the same server and not using domain name URL :slight_smile:

So if I understood, basically by using a domain name and/or specify the domain into the cookie I could avoid this situation but it’s fine for me because it’s only available on LAN.

and in my case I mixed 2 none bests practices such as :

  • IPresolution,
  • multihosting the same solution into the same IP.

I’m glad this issue will be fix in a further release. :wink:

What I did to workaround this was to use virtual hosts on apache.