Guidance on Session Hijacking Finding in SonarQube

Salma_Shaik · April 30, 2026, 12:11pm

Hello Team,

I am reviewing session handling behavior in SonarQube and wanted to get some guidance from the community.

While testing, I observed that an authenticated session remains valid if the session cookie is reused in another browser session.

I wanted to understand:

Is this expected behavior in SonarQube by default?
Are there any recommended configurations or best practices for session hardening.
Are there any official references or documentation related to securing user sessions in SonarQube?

Any insights or recommendations would be helpful.

if you need still more inputs please reachout to me I will provide.

Thanks,
Salma.

Jeremy_Davis · April 30, 2026, 2:12pm

Hi Salma,

Like every webapp that uses cookies to authenticate a user session, this is a risk.
It’s also the norm.

For someone to exploit this, they would need access to a user’s browser (or worse, whole machine), which means they can also piggyback onto the user’s existing session, so cookie reuse is probably the least of your worries.

Since you seem to have strong security requirements, the only suggestion I can make is to use network-level restrictions for your instance (e.g. IP allow-lists, company internal network, etc..)

Hope that helps!

Topic		Replies	Views
SSO session cookie survives browser restarts SonarQube Server / Community Build	2	54	December 10, 2024
SonarQube cookie expiration SonarQube Server / Community Build sonarqube	14	2088	May 15, 2020
Session Not Invalidated after Manipulating Session Cookie SonarQube Server / Community Build bug-no-category	4	786	February 28, 2019
Login failed when using sonar.web.sessionTimeoutInMinutes SonarQube Server / Community Build proxy , sonarqube-team	11	1399	November 4, 2022
Disable multi session access in SonarQube SonarQube Server / Community Build	2	619	January 20, 2022

Guidance on Session Hijacking Finding in SonarQube

Related topics