i am in 7-8 month older version of cockpit, but ondoing Vulnerability Assessment and Penetration Testing by my client, they found
PII Disclosure
stored xss and xss through file upload ,
CSRF Token Reuse,
Authentication Bypass via Response Manipulation
Session Hijacking,
are any of these these resolved in latest version? if not guide to fix them
Note it was a plain installation , with little to no customization.
which version are you on?
It would also make sense the share the findings privately or do an assessment in general against a newer version
okay i am sending you the reports today
did you find solution?
based on his we did a test on our internal framework built on top of urs
Token Reuse is indeed valid:
i was able to replicate session hijacking too using cookie editor:
steps:
login to cockpit-> export session cookie using cookie editor extension → import cookie in a different device using the same extension-> login boom 
This is a php.ini configuration issue. Make sure to have the following configured:
```
session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = “Strict”
session.use_only_cookies = 1
session.use_strict_mode = 1
```
