Associate SSO cookie with session ID to prevent session reuse

Created on 8 April 2013, about 12 years ago

Updated 15 May 2025, 2 days ago

Baker's SSO cookie causes authentication to occur without the need for a valid Drupal session. This is by design and in the nature of how Bakery provides cross-site SSO. However, it can be exploited should someone steal a user's SSO cookie. Even if that user logs out of the Drupal site a request with their SSO cookie will authenticate.

Steps to reproduce:

Authenticate on a Bakery-enabled Drupal site
Save the CHOCOLATECHIP cookie (using something like the Firefox extension Cookie Exporter)
Log out and then import the CHOCOLATCHIP cookie
Request a page and see an authenticated response back

Bakery should associate the CHOCOLATECHIP cookie to the user's session on the master and check it during validation.

Credit to Tejash Patel for original report on this

✨ Feature request

Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States coltrane

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 2 days ago →
🇦🇺Australia purencool
Test to see if this still happens with the latest version.
Comment about 19 hours ago →
🇮🇹Italy apaderno Brescia, 🇮🇹

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024