Open Closed

Session Fixation Vulnerability #2342


User avatar
0
ibrahim.onat created
  • ABP Framework version: v4.4.3
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

We're having a similar issue to the one that linked below: https://support.abp.io/QA/Questions/424/How-to--prevent-accesstoken-reuse-when-logouted

We changed the access token lifetime, and even its value was 90 seconds the issue continued.

Is there any settings or steps we missed?

To reproduce the issue, 1.Get access token of an authorized user 2.Logout 3.Use the token to fetch data with credentials of an unauthorized user You will see that the data is fetched successfully even though the token is expired.


2 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Can you check this: https://github.com/abpframework/abp/issues/10303#issuecomment-992030630

  • User Avatar
    0
    ibrahim.onat created

    We tried the solution and it worked.

    Thank you for your time

Made with ❤️ on ABP v9.1.0-preview. Updated on November 19, 2024, 12:56