Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32524

#PT12068_1 - Session Token Doesn’t Expire On Password Change

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security, Security / Rights

      Description

      Authentication and Sessions > Failure to Invalidate Session > On Password Reset and/or Change

      Proof of Concept

      1. Login into account on https://pentest.beta.nuxeocloud.com in two separate browsers
      1. From one browser, go to https://pentest.beta.nuxeocloud.com/nuxeo/ui/#!/profile and change password
      1. Now, check the old session tokens, they will be still active.

      Suggested Fix

      Properly invalidate all user sessions server-side when the user resets their password and at a minimum, invalidate all non-current user sessions sever-side when the user changes their password.

      A secure session termination requires at least the following components:

      • Availability of user interface controls that allow the user to manually log out.
      • Session termination after a given amount of time without activity (session timeout).
      • Proper invalidation of server-side session state.

      The usage of a single sign-on (SSO) system instead of an application-specific authentication scheme often causes the coexistence of multiple sessions which have to be terminated separately

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              santony Sooraj Antony
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: