Open Closed

Security breach - Session management #8829


User avatar
0
AndrewT created
  • ABP Framework version: v8.3.2

  • UI Type: Blazor WASM

  • Database System: PostgreSQL,

  • Tiered (for MVC) or Auth Server Separated (for Angular): yes

  • Exception message and full stack trace:

  • Steps to reproduce the issue:

If a User has logged into the application, they must stay logged in even if they dont touch the application and it is in the background, this is so that any alerts will appear/sound, and if they want to take immediate action they can do that.

However if the user logs out, their session must be terminated and they are forced to log in again.

Problem: We have just been through a security review and the application is failing with a scenario;

UserA logs in, and then logging out, but a different user being able to hijack the token that UserA was issued. ie Logout does not destroy the token.

To reproduce this issue perform the following steps:
Session Timeout

  1. Using a web browser, navigate to the** [application URL]**

  2. Authenticate to the application.

  3. Leave the session unattended for 45 minutes.

  4. Navigate to another page on the application and note the session is still valid.
    Session Teardown

  5. Setup an intercepting proxy such as Burp Suite.

  6. Using a web browser navigate the the application URL:

  7. Authenticate to the application as an administrative user.

  8. Intercept a request to create a new user, send to the Repeater tab and drop the request. Verify that the new user has not been created.

  9. Log out of the application.Verify that the user has been successfully logged out of the application.

  10. Send the intercepted request that is in the repeater tab, and note a 200 HTTP response code is returned.

  11. Validate that the new user has been created, whilst the admin was logged out.


1 Answer(s)
  • User Avatar
    0
    enisn created
    Support Team .NET Developer

    Hi there,

    Thank you for reporting this issue. You provided as a good scenario. I deliver this case to our team. We will enhance our session management logic according to your case to ensure better security.

    We appreciate your feedback and patience as we work to improve the system.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
Do you need assistance from an ABP expert?
Schedule a Meeting
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.2.0-preview. Updated on March 18, 2025, 10:42