Task #11403
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_ADMIN (L8) - Multiple Concurrent Session Allowed
Status: | Work Completed-End life cycle | Start date: | December 01, 2020 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | Pentest | Spent time: | 1.00 hour | |
Target version: | - |
Description
The web application allows multiple simultaneous logons from the same user from different client IP addresses. There is a potential security risk for when the same user is logged in from more than one location at the same time.
Solution Given :
It is the web application design decision to determine if multiple simultaneous logons from the same user are allowed from the same or from different client IP addresses. If the web application does not want to allow simultaneous session logons, it must take effective actions after each new authentication event, implicitly terminating the previously available session, or asking the user (through the old, new or both sessions) about the session that must remain active.
History
#1 Updated by Najmi Pasarudin almost 4 years ago
- Assignee changed from Najmi Pasarudin to Nurul Hasnieza Bt Mohd Zamri
#2 Updated by Nurul Athira Abdul Rahim almost 4 years ago
Finding valid.
#3 Updated by Ngoh Chee Ping almost 4 years ago
- Status changed from New - Begin Life Cycle to Internal Testing
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
- % Done changed from 0 to 100
There is no issue on this, just UAT does not enable the single sign on. After enable sso below in web.xml will solve this issue.
<context-param>
<param-name>sso</param-name>
<param-value>true</param-value>
</context-param>
#4 Updated by Nurul Athira Abdul Rahim almost 4 years ago
- Status changed from Internal Testing to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Nurul Hasnieza Bt Mohd Zamri
- % Done changed from 100 to 10
Hi Nieza,
Kindly update this, following CP instruction.
SIT, UAT and Prod currently disable this sso function.
Please enable at SIT first.
#5 Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Status changed from Development / Work In Progress to Pending SIT Deployment
- % Done changed from 10 to 80
#6 Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Status changed from Pending SIT Deployment to Internal Testing
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
Hi Athira,
done SIT deployment. Kindly retest.
#7 Updated by Nurul Athira Abdul Rahim over 3 years ago
- Status changed from Internal Testing to System Integration Test
Tested and passed.
Result : Current User will be kicked outt if there is new user login with same ID.
#8 Updated by Nurul Athira Abdul Rahim about 3 years ago
- Status changed from System Integration Test to Work Completed-End life cycle
- % Done changed from 80 to 100
Updated from JTM :
1st assessment pentest expired.
Pending for 2nd scanning report