Merge pull request from GHSA-3xf8-g8gr-g7rh

Always create a brand-new session for an authentication attempt by ignoring any previous session ID. This avoids a potential session fixation attack. Refs GHSA-3xf8-g8gr-g7rh
Graylog2 · Feb 7, 2024 · b93a663 · b93a663
1 parent 2cb847c
commit b93a663
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 9 deletions.
diff --git a/changelog/unreleased/ghsa-3xf8-g8gr-g7rh.toml b/changelog/unreleased/ghsa-3xf8-g8gr-g7rh.toml
@@ -0,0 +1,2 @@
+type = "security"
+message = "Always create new sessions for authentication attempts to fix a potential session fixation vulnerability. [GHSA-3xf8-g8gr-g7rh](https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rh)"
diff --git a/graylog2-server/src/main/java/org/graylog2/rest/resources/system/SessionsResource.java b/graylog2-server/src/main/java/org/graylog2/rest/resources/system/SessionsResource.java
@@ -121,25 +121,19 @@ public Response newSession(@Context ContainerRequestContext requestContext,
 
         rejectServiceAccount(createRequest);
 
-        final SecurityContext securityContext = requestContext.getSecurityContext();
-        if (!(securityContext instanceof ShiroSecurityContext)) {
-            throw new InternalServerErrorException("Unsupported SecurityContext class, this is a bug!");
-        }
-        final ShiroSecurityContext shiroSecurityContext = (ShiroSecurityContext) securityContext;
-
         final ActorAwareAuthenticationToken authToken;
         try {
             authToken = tokenFactory.forRequestBody(createRequest);
         } catch (IllegalArgumentException e) {
             throw new BadRequestException(e.getMessage());
         }
 
-        // we treat the BASIC auth username as the sessionid
-        final String sessionId = shiroSecurityContext.getUsername();
         final String host = RestTools.getRemoteAddrFromRequest(grizzlyRequest, trustedSubnets);
 
         try {
-            Optional<Session> session = sessionCreator.login(sessionId, host, authToken);
+            // Always create a brand-new session for an authentication attempt by ignoring any previous session ID.
+            // This avoids a potential session fixation attack. (GHSA-3xf8-g8gr-g7rh)
+            Optional<Session> session = sessionCreator.login(null, host, authToken);
             if (session.isPresent()) {
                 final SessionResponse token = sessionResponseFactory.forSession(session.get());
                 return Response.ok()