[checkmk-commits] [tribe29/checkmk] 5bec0f: 14482 SEC Use proper HMAC for cookie signing

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: 5bec0f692e464e731849345a43850a22f19a3f66 https://github.com/tribe29/checkmk/commit/5bec0f692e464e731849345a43850a22f… Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com> Date: 2022-08-10 (Wed, 10 Aug 2022) Changed paths: A .werks/14482 M cmk/gui/login.py Log Message: ----------- 14482 SEC Use proper HMAC for cookie signing Previously to this Werk the Session cookies were signed with with calculating a SHA256 hash over username, session id, a serial plus a secret. This could in theory lead to a "partial message collision". Since we parse the data given in the cookie and test for validity, we are confident that such an attack is not possible. But to be future-proof we switch to proper HMAC for signing the cookie value. This will invalidate all session cookies for a site. Therefore all users have to reauthenticate to retrieve new valid cookies. CMK-11043 Change-Id: I85f26f719889966e89f00be390698cdf9d3a3ca2