can a user steal another user's session by stealing it's session cookie?

can a user steal another user's session by stealing it's session cookie?

by Di Juwel -
Number of replies: 3

I first tried the the following in my moodle 3.5.1 installed on my server and than tried it at moodle's sandbox to make sure it's not something wrong with my sever (video bellow):
I opened two browsers: at the firefox browser I logged in as an admin, in the chrome browser I logged in as a student.

than I copied the content of the "MoodleSession" cookie ("MoodleSession" stores the session id, right?) from where I was logged in as an admin, and pasted it as new content of the "MoodleSession" cookie in the browser in which I was logged in as a student.

at this point I was logged in as an admin - in the browser I logged as a student, just by knowing the session id.
video of this here: https://streamable.com/qm4s0w

on my moodle, I even tried to change the IP of the users in the "sessions" table ("firstip" and "lastip"), so that each of these users will have a different IP and still I was able to get be identified as "admin" even though I never entered the admin details and just pasted the cookie's content.

now I know it's easy because I'm an admin and already know the session id,  but my question is this:
does this mean a user can steal another user's session by stealing it's session cookie? isn't that dangerous? are there any security measures I can do to prevent it?


Average of ratings: -
In reply to Di Juwel

Re: can a user steal another user's session by stealing it's session cookie?

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
Hi Di,

This is generally how sessions and session cookies work by design in web applications, which is why it is important to ensure they are protected.

Some of the measures you can put into place to protect session cookies include:

  1. Utilising SSL/HTTPS - this prevents sessions being stolen in-transit  (eg man-in-the-middle attacks).
  2. Ensuring only trusted users are assigned trusted user roles (teachers and admins), as they are able to include JavaScript content (see the XSS trusted users documentation for more details).
  3. I would highly recommend upgrading your Moodle instance from 3.5.1, to ensure all of the latest security fixes have been applied, as some of these do help protect user sessions from compromise. If you wish to remain on Moodle 3.5, version 3.5.12 has been released this week, otherwise, 3.8 is the latest current version (and 3.9 will be released next month).
The case you mentioned where the same user could be logged in on two IP addresses can be a valid situation, for example a student logged in on their laptop via WiFi, at the same time as being logged in on their phone/tablet via their mobile/cellular network. There is however the "Limit concurrent logins" admin setting you may want to look into, though it's worth keeping in mind many of your users may log in across multiple devices, so you need to consider what an appropriate limit may be (and whether that will provide any additional protection).

I hope that's a helpful starting point!
Average of ratings: Useful (5)
In reply to Michael Hawkins

Re: can a user steal another user's session by stealing it's session cookie?

by Di Juwel -
1. Done
2. Done
about 3.
we won't be able to upgrade our moodle version to 3.8 or 3.9 soon but we DO need the security fixes that help protect user sessions from compromise.
can you point me to those fixes? we will apply any needed patches.

about what you mentioned regarding a user being logged with different devices and hence different IP's at the same time:
we don't have a problem disallowing the users to do so, and we can restrict a user to use only 1 device per session.
having said that, would it be a good idea to restrict a session per IP ?

also: if a user (student) somehow steals another user's (teacher) session cookie - is there anything that would prevent that user from being logged as the teacher and he's capabilities ?

one of the measures I was thinking about is add the property "httpOnly" to the session cookie to prevent cooke theft via CSRF or XSS (XSS can be done in JavaScript to steal user's cookie session)
Average of ratings: -
In reply to Di Juwel

Re: can a user steal another user's session by stealing it's session cookie?

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers

Hi Di,

If you want to remain on Moodle 3.5, it may be worth considering upgrading to 3.5.12 to receive any relevant security patches, while remaining on the same major release version. However, if you do want to manually apply relevant patches, take a look at the security announcements page, where I publish all security fixes 1 week after they are released (which includes links to the patches). You can check the "versions affected" section of each announcement to see whether your version is affected. Currently for 3.5.x, fixes are listed up to 3.5.11, any any security fixes for 3.5.12 will be listed next Monday (18th May). For future updates, if you'd like to receive those security updates by email, if you register your Moodle site, there is also an option to opt into receiving security alert emails, the advantage being that you also receive them on release day (1 week earlier than they are published on the site).

I'm not sure if you're proposing to restrict IPs so that each user must be on a different IP, or logging a user out if their IP address changes, but I think there are some considerations to make for both. For the first case, that will cause issues for users on a shared network that may have a single external IP, and for the second case, users can switch IPs, for example if they are joining/leaving a WiFi network, and occasionally dynamic IPs can expire etc.

I don't think there is a lot you can do to prevent a login where someone has gained another user's cookie (assuming you don't know that it has been stolen and taken action to invalidate that session), because that is the way modern web applications function, the aim being to protect sessions from compromise. We do, however, work hard to ensure measures (such as capability checks and sanitizing) are in place to protect users as much as possible from these types of risks.

If you would like to enable httpOnly, there is a setting available in Moodle site administration to do so (Site Administration > Security > Http Security > Only http cookies), along with a description of some potential compatibility limitations that you should be aware of.

Average of ratings: -