Session Hijacking

Hi All,

Grafana 6.7.4 is tested for vulnerability and our team has come up with a high-risk item of session hijacking.

VA Team logins to Grafana and take the grafana_session value from cookie and able to login from another system with the same session value.

Do Grafana provide any solution for restricting the session to one system/browser? Or new session shouldn’t be created with the hijacked session value

Goushik Murugesan

1 Like

This issue can be addressed through auth proxy in Grafana. Nginx or Apache http server will act as authentication layer so grafana session doesnt store in session cache.

That sounds like you have moved problem from Grafana to another layer. I guess Nginx/Apache must have also own session cache, especially if you want to scale them horizontally.