This vulnerability was introduced upstream in commit b895f4a3, which addressed https://fedorahosted.org/freeipa/ticket/6682.  Since that commit, freeipa would ask the client to delete the cookie but retain it in the server-side ccache until it naturally expired.

The session cookie is highly sensitive information while the session is active, since it can be used to impersonate the user.  It is possible that applications may treat cookies of logged-out sessions more casually, expecting the cookie to no longer be recognised by the server.  Good practice would be to completely erase the cookie client side, or at least never store it with less care than while it is valid, but some applications may fail to do that or save the cookie in a debug log after logout.  Depending on how long the cookie remains valid in the server's ccache, this represents an opportunity for a third party to obtain and re-use the "expired" cookie.

Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1752710]

Hi Doran,
I want to put on the record that I contest the characterization of this bug.

The system works as design and rely on timeouts and browsers not leaking cookies like countless websites do.

Browsers do remove cookies when told, if other applications do not properly handle their access tokens, it is those applications fault, they could as well leak TGTs or passwords, still doesn't make it a server problem.

(In reply to Simo Sorce from comment #6)
> Hi Doran,
> I want to put on the record that I contest the characterization of this bug.

Thanks Simo.  I think your objection has merit, the attack scenario described in comment 2 requires more than a few misbehaving components beyond IPA.  I'll seek counsel in prodsec about which side of the hardening/vulnerability line this belongs.

Consensus from Product Security is that this should be tracked as a CVE as while the risk is very small, it is a genuine vulnerability.  Standard browsers will delete the cookie on request, but in the abstract sense a client hitting the logout endpoint on the server is requesting that its token be invalidated, which is not happening here.

Hopefully the Statement makes this clear on CVE pages; I don't think users should be concerned about this issue *unless* they are doing unusual things with automation etc, in which case they need to know their client applications must treat invalidated credentials as still sensitive.

Statement:

In order to exploit this flaw, an attacker would need to obtain a user's session cookie after the user has logged out but before the server-side credential cache expires. Typically, this will not be possible because browsers protect the cookie while it is valid and delete it immediately as instructed by the server on logout. In order to be exposed to this vulnerability, one would need to be accessing FreeIPA in a non-standard fashion with an insecure web browser or a client application that stores and shares excessive debugging information. Most users of FreeIPA will not be at risk from this flaw.

*** Bug 1851341 has been marked as a duplicate of this bug. ***