Idea ID: 2784799

NNMi Broken-Authentication

Status: Waiting for Votes

Waiting for Votes

See status update history

The application is vulnerable to broken-authentication after change password which doesn’t invalidate all active sessions for the same user which allows the same account to be navigated with two different sessions and two different passwords. This can increase possibility of user’s account hijacking


Reproduce scenario:
1- Login using Username and Password
2- Change The User Account Password
3- Leave Current Session Open and Open new Browser session then Login using the New Password
4- You will have two Opened Sessions with different Passwords

Expected Scenario:
1- Login using Username and Password
2- Change The User Account Password
3- System Should End the session and Ask the user to login again with the new password
4- All opened sessions are using the New Password

Tags: