- userA shares a talk room and protects it with a password
- userB opens links but doesn’t enter the password yet
- Attacker steals the cookies from userB
- userB logs in
- attacker is now also able to read the conversation etc
Impact
In short the attacker is able to take over the session of the guest userB on this talk room.
The session id should be renewed once the password is entered.