-
Defect (Security)
-
Resolution: Unresolved
-
Trivial
-
None
-
3.0.0beta2
-
Any
If you steal a cookie from an end user you can use this cookie to perform a replay attack as long as the other user is logged in. By sending a email to a fake login you can tell when the user attempts to login and replay their cookie.
Something like a session ID should be set alongside the zbx_session cookie to ensure that only one session at a time is using a particular cookie. The test for this issue can be performed by using two different browsers or systems.