-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication Bypass via Improper Session Management #7576
Comments
Correction: Tested versions: 1.4.4-1.4.8 |
What exactly/how did you test this? By default inactive sessions expire after 10 minutes, this can be adjusted using the |
@bhamb I don't agree with most of what you've said. I mean there's always a risk, but the risk is mitigated as @johndoh explained. There's one thing we could consider. It's to make sure that the expired sessions aren't used again. Even if GC is enabled (normally it is) it might not remove the expired sessions immediately. We could check if the session is valid when we first try to use it, i.e. in |
Hello, session_lifetime and ip_check : @alecpl : Yes, it would be great if you could check the re-usage of the expired session - as you mentioned. Because the I could access my own mailbox as I described above. I just had to send the HTTP requests again to the server. |
Fixed. |
Dear Team,
Although the session ID is generated and will be invalid during a normal Log in / out activity, still there is a possibility to abuse this Session Management due to a lack of invalidation process.
In case there is no logout and the user only close the browser (and maybe shutdown the computer) and later on he/she will use another browser or computer then a brand new Session ID will be generated during the login activity (which is OK) but the server will terminate the current session ID only during the logout. The user believes that his mailbox access is closed, but the first Session ID still can be used.
Risk.: The lack of the not proper session invalidation could lead an attacker to access all the victim user's emails. The risk is decreased by the fact, that the necessary data (old Session ID ) only can be achieved by the following persons:
Mitigations:
1.: It is recommended to terminate / delete all the active sessions which belongs to the logged in user. Of course this solution does not help if the user just close the browser and will not use the mailbox for several hours, and in the meantime the attacker still has access to the mailbox. Furthermore, if concurrent login must be allowed, then a warning message can be sent about the logout to inform the other logged-in instance.
2.: If it is doable, the generated sessions should be bind with an IP address. This mitigation would protect the mailbox from the remote attackers only, and not from the attacker works from the same IP (Enterprise company)
The text was updated successfully, but these errors were encountered: