Session hijacking #1103

New Issue

OVERLORD · 2026-02-04T23:47:41+03:00

OVERLORD commented

2026-02-04 23:47:41 +03:00

Originally created by @SeanIQX on GitHub (Mar 22, 2019).

Scenario:
2 users connecting from same office (Same WAN IP) to apache nginx server hosted on internet.
User1 logs in and starts using bookstack.
User2 logs in and is given the session of the other user.
(This can happen either way depending on if the other person is navigating or not.)

Steps To Reproduce
See above

Expected behavior
No session hijacking.

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): BookStack v0.25.4
PHP Version: 7.2
Hosting Method : Nginx relayed to apache

Additional context
Troubleshooting tried:
Tried changing to secure cookies.
Changed where sessions are stored. File to Database.
Changed session cookie name.
Recreated users.
Completely cleaned out cookies on local pc's.
Also tried via VPN to rule out same IP as issue.

Originally created by @SeanIQX on GitHub (Mar 22, 2019). Scenario: 2 users connecting from same office (Same WAN IP) to apache nginx server hosted on internet. User1 logs in and starts using bookstack. User2 logs in and is given the session of the other user. (This can happen either way depending on if the other person is navigating or not.) **Steps To Reproduce** See above **Expected behavior** No session hijacking. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): BookStack v0.25.4 - PHP Version: 7.2 - Hosting Method : Nginx relayed to apache **Additional context** Troubleshooting tried: Tried changing to secure cookies. Changed where sessions are stored. File to Database. Changed session cookie name. Recreated users. Completely cleaned out cookies on local pc's. Also tried via VPN to rule out same IP as issue.

OVERLORD closed this issue

2026-02-04 23:47:42 +03:00

OVERLORD commented

2026-02-04 23:47:47 +03:00

@ssddanbrown commented on GitHub (Mar 22, 2019):

Hi @SeanIQX,
Can you confirm if you are using the standard authentication method (Email and password) or if you're using a third-party service or LDAP?

Also, Just to 100% confirm, do the two users in your scenario have different accounts in BookStack?

@ssddanbrown commented on GitHub (Mar 22, 2019): Hi @SeanIQX, Can you confirm if you are using the standard authentication method (Email and password) or if you're using a third-party service or LDAP? Also, Just to 100% confirm, do the two users in your scenario have different accounts in BookStack?

OVERLORD commented

2026-02-04 23:47:50 +03:00

@SeanIQX commented on GitHub (Mar 22, 2019):

Hi @ssddanbrown ,
Standard authentication.
And two separate accounts yes.

@SeanIQX commented on GitHub (Mar 22, 2019): Hi @ssddanbrown , Standard authentication. And two separate accounts yes.

OVERLORD commented

2026-02-04 23:47:55 +03:00

@ssddanbrown commented on GitHub (Mar 22, 2019):

Thanks @SeanIQX,

Not sure what this could be really, Perhaps either some very aggressive caching at you nginx or apache layer that's caching cookie values or perhaps something client-side.

Could you try to see if you're able to re-produce this on the demo site?
You should be able to create a new user to test this. Just be wary the demo instance resets every half-hour (At about 0-mins and 30-mins).

That will provide some insight into if this could be specific to your setup.

@ssddanbrown commented on GitHub (Mar 22, 2019): Thanks @SeanIQX, Not sure what this could be really, Perhaps either some very aggressive caching at you nginx or apache layer that's caching cookie values or perhaps something client-side. Could you try to see if you're able to re-produce this on the [demo site](https://demo.bookstackapp.com/login?email=admin@example.com&password=password)? You should be able to create a new user to test this. Just be wary the demo instance resets every half-hour (At about 0-mins and 30-mins). That will provide some insight into if this could be specific to your setup.

OVERLORD commented

2026-02-04 23:47:59 +03:00

@SeanIQX commented on GitHub (Mar 25, 2019):

Hi @ssddanbrown
Tried on the demo site and that is fine, though the version is older compared to the one we have installed. It's 25.3 we are 25.4.
I think its possibly something to do with cloudflare. Going to try it without cloudflare to see if that resolves it.

@SeanIQX commented on GitHub (Mar 25, 2019): Hi @ssddanbrown Tried on the demo site and that is fine, though the version is older compared to the one we have installed. It's 25.3 we are 25.4. I think its possibly something to do with cloudflare. Going to try it without cloudflare to see if that resolves it.

OVERLORD commented

2026-02-04 23:48:02 +03:00

@SeanIQX commented on GitHub (Mar 25, 2019):

OK @ssddanbrown its not cloudflare, have that disabled. Going to try changing the nginx caching just for testing, though this is getting in to undesirable changes area now.

@SeanIQX commented on GitHub (Mar 25, 2019): OK @ssddanbrown its not cloudflare, have that disabled. Going to try changing the nginx caching just for testing, though this is getting in to undesirable changes area now.

OVERLORD commented

2026-02-04 23:48:05 +03:00

@SeanIQX commented on GitHub (Mar 25, 2019):

It seems like it is NGINX. It seems to be to do with how the token is being hashed.
We are using Engintron NGINX. Gareth (who I cc'd in to the email I sent) has raised it as an issue on Engintron but if you could recommend anything we could look at to try and rectify the issue that would be great.

@SeanIQX commented on GitHub (Mar 25, 2019): It seems like it is NGINX. It seems to be to do with how the token is being hashed. We are using Engintron NGINX. Gareth (who I cc'd in to the email I sent) has raised it as an issue on Engintron but if you could recommend anything we could look at to try and rectify the issue that would be great.

OVERLORD commented

2026-02-04 23:48:07 +03:00

@ssddanbrown commented on GitHub (Mar 28, 2019):

@SeanIQX Thanks for the updates.

I'd advise just to ensure no BookStack requests themselves are being cached. Assets (Images, CSS, JS) can be cached but BookStack-served content will be fairly dynamic.

Not really familiar with engintron, Perhaps make sure their micro caching feature is disabled?

Or, if you have a choice between static or dynamic, Make sure BookStack is using a dynamic config option.

@ssddanbrown commented on GitHub (Mar 28, 2019): @SeanIQX Thanks for the updates. I'd advise just to ensure no BookStack requests themselves are being cached. Assets (Images, CSS, JS) can be cached but BookStack-served content will be fairly dynamic. Not really familiar with engintron, Perhaps make sure their [micro caching feature is disabled](https://engintron.com/docs/#/pages/About-Engintrons-micro-caching-features)? Or, if you have a choice between static or dynamic, Make sure BookStack is using a dynamic config option.

OVERLORD commented

2026-02-04 23:48:10 +03:00

@SeanIQX commented on GitHub (Apr 2, 2019):

@ssddanbrown Got it working.
It was specific to caching in nginx. Gareth will comment and elaborate on the fix. Thanks again.

@SeanIQX commented on GitHub (Apr 2, 2019): @ssddanbrown Got it working. It was specific to caching in nginx. Gareth will comment and elaborate on the fix. Thanks again.

OVERLORD commented

2026-02-04 23:48:12 +03:00

@gareth-johnstone commented on GitHub (Apr 2, 2019):

Hi,
So as stated above our setup is a Nginx server relayed to Apache - our flavour of Nginx is called Engintron.

This is all neatly packaged as a plugin on cPanel's Web interface.

As stated in the comment https://github.com/BookStackApp/BookStack/issues/1345#issuecomment-477748851 we done the following to achieve this.

So, if anyone has a similar setup, login to WHM > Plugins > Engintron - click on Edit your custom_rules for Nginx

and scroll down to the bottom and you'll see the following commented out, un-comment it and add your own URL(S)

# === DOMAIN AND URL PATH EXCLUSIONS FROM CACHING ===
if ($SITE_URI ~* "my-url.to.bookstack/any/paths/to/it/") {
    set $CACHE_BYPASS_FOR_DYNAMIC 1; # Disables micro-caching
    set $CACHE_BYPASS_FOR_STATIC 1; # Disables static file caching
}

Thanks again for your help @ssddanbrown

@gareth-johnstone commented on GitHub (Apr 2, 2019): Hi, So as stated above our setup is a Nginx server relayed to Apache - our flavour of Nginx is called Engintron. This is all neatly packaged as a plugin on cPanel's Web interface. As stated in the comment https://github.com/BookStackApp/BookStack/issues/1345#issuecomment-477748851 we done the following to achieve this. So, if anyone has a similar setup, login to WHM > Plugins > Engintron - click on `Edit your custom_rules for Nginx` and scroll down to the bottom and you'll see the following commented out, un-comment it and add your own URL(S) ``` # === DOMAIN AND URL PATH EXCLUSIONS FROM CACHING === if ($SITE_URI ~* "my-url.to.bookstack/any/paths/to/it/") { set $CACHE_BYPASS_FOR_DYNAMIC 1; # Disables micro-caching set $CACHE_BYPASS_FOR_STATIC 1; # Disables static file caching } ``` Thanks again for your help @ssddanbrown

OVERLORD commented

2026-02-04 23:48:14 +03:00

@ssddanbrown commented on GitHub (Apr 3, 2019):

@SeanIQX @gareth-johnstone Awesome, Happy to hear you found the issue, Thanks for sharing your findings.

Will therefore close this issue since this now appears to be sorted.

@ssddanbrown commented on GitHub (Apr 3, 2019): @SeanIQX @gareth-johnstone Awesome, Happy to hear you found the issue, Thanks for sharing your findings. Will therefore close this issue since this now appears to be sorted.

OVERLORD referenced this issue

2026-02-05 00:06:38 +03:00

Allow svg-based images #1159

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1103