Session Hijacking

Grafana Authentication
1

Hi All,

Grafana 6.7.4 is tested for vulnerability and our team has come up with a high-risk item of session hijacking.

VA Team logins to Grafana and take the grafana_session value from cookie and able to login from another system with the same session value.

Do Grafana provide any solution for restricting the session to one system/browser? Or new session shouldn’t be created with the hijacked session value

Thanks,
Goushik Murugesan

1 Like
2

This issue can be addressed through auth proxy in Grafana. Nginx or Apache http server will act as authentication layer so grafana session doesnt store in session cache.

3

That sounds like you have moved problem from Grafana to another layer. I guess Nginx/Apache must have also own session cache, especially if you want to scale them horizontally.