Idea ID: 2784799

NNMi Broken-Authentication

Mohamed13 Mohamed13
Status : Waiting for Votes
Waiting for Votes
See status update history
The application is vulnerable to broken-authentication after change password which doesn’t invalidate all active sessions for the same user which allows the same account to be navigated with two different sessions and two different passwords. This can increase possibility of user’s account hijacking


Reproduce scenario:
1- Login using Username and Password
2- Change The User Account Password
3- Leave Current Session Open and Open new Browser session then Login using the New Password
4- You will have two Opened Sessions with different Passwords

Expected Scenario:
1- Login using Username and Password
2- Change The User Account Password
3- System Should End the session and Ask the user to login again with the new password
4- All opened sessions are using the New Password

Tags: