Vulnerability in https://mail.rainloop.net/

[DEV696]

I have identified a session fixation vulnerability, below is the steps to reproduce:

Step 1: Browse the application https://mail.rainloop.net/ in any browser and intercept the request over proxy.
Step 2: Now observe the session cookie "rlsession=bdecad79956032d7c64489ad2962a593"
Step 3: Now login into the application and again intercept the request of an authenticated page.
Step 4: Now again observe the cookie "rlsession=bdecad79956032d7c64489ad2962a593"
Step 5: The session cookie is same prior and post authentication which makes the application vulnerable to session fixation.

Reference Link:
https://owasp.org/www-community/attacks/Session_fixation

Mitigation/Patch
If you assign a new session when someone logs in, this flaw should be fixed.

[DEV696]

Hi can someone please provide a comment on the reported issue ?

[the-djmaze]

Although owasp has some good information, this particular one is not good.
The examples they provide are not good and are XSS related.
A new session id does not solve the examples.

[DEV696]

The examples are the scenarios through which this vulnerability can create a big impact. If the application is vulnerable to XSS than an attacker can steal the cookie which is persistent every time.

Assigning a new session ID with secure and httponly attribute will surely fix this issue.

[DEV696]

Please do let us know if you are gonna fix this.

Cheers
Devendra