Advisories for Pypi/Aiohttp-Session package

EncryptedCookieStorage and NaClCookieStorage both lack proper session expiration. A user that has obtained a legitimate session can do a replay attack recreating their cookie (with the same value as the original) thus defeating the purpose of cookie expiry.

aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).