-
ABP Framework version: v8.3.2
-
UI Type: Blazor WASM
-
Database System: PostgreSQL,
-
Tiered (for MVC) or Auth Server Separated (for Angular): yes
-
Exception message and full stack trace:
-
Steps to reproduce the issue:
If a User has logged into the application, they must stay logged in even if they dont touch the application and it is in the background, this is so that any alerts will appear/sound, and if they want to take immediate action they can do that.
However if the user logs out, their session must be terminated and they are forced to log in again.
Problem: We have just been through a security review and the application is failing with a scenario;
UserA logs in, and then logging out, but a different user being able to hijack the token that UserA was issued. ie Logout does not destroy the token.
To reproduce this issue perform the following steps:
Session Timeout
-
Using a web browser, navigate to the** [application URL]**
-
Authenticate to the application.
-
Leave the session unattended for 45 minutes.
-
Navigate to another page on the application and note the session is still valid.
Session Teardown -
Setup an intercepting proxy such as Burp Suite.
-
Using a web browser navigate the the application URL:
-
Authenticate to the application as an administrative user.
-
Intercept a request to create a new user, send to the Repeater tab and drop the request. Verify that the new user has not been created.
-
Log out of the application.Verify that the user has been successfully logged out of the application.
-
Send the intercepted request that is in the repeater tab, and note a 200 HTTP response code is returned.
-
Validate that the new user has been created, whilst the admin was logged out.
1 Answer(s)
-
0
Hi there,
Thank you for reporting this issue. You provided as a good scenario. I deliver this case to our team. We will enhance our session management logic according to your case to ensure better security.
We appreciate your feedback and patience as we work to improve the system.