2011-11-21 Instructure Advisory IAC71043 - Session Cookie Replay Attack

Document created by jordan@instructure.com on Sep 22, 2015Last modified by Renee Carney on Sep 22, 2015
Version 3Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2011-11-21  (Last update can be found below the document title)

Session Cookie Replay Attack

  Criticality Level:

Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )

  Impact:Easier Session Hijacking
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Securus Global
  Relevant Changesets:




A security audit has identified that the "stay logged in" login cookie for a given user will always have the same value, until the user changes their password or performs another similar action. This cookie is also set as a session cookie even when the user doesn't select "stay logged in", though in this case it is not persisted to their local disk.


The impact is that if the user's cookies are stolen, the attacker has the means to log in to Canvas as that user repeatedly, and for an indefinite period of time (until the user changes their password). Note that all communication with Canvas Cloud is over SSL, which makes stealing the user's Canvas cookies much more difficult.



A modification to Canvas has been developed which makes the "stay logged in" cookie a one-time use token that changes value for every user agent and every authentication. Future development will also place sensitive actions behind a login prompt when the user is authenticated through this token, forcing them to re-authenticate before performing such actions.