Task #12564
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_IBAM - Multiple Concurrent Session Allowed [LOW]
| Status: | Work Completed-End life cycle | Start date: | November 08, 2021 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 100% | |
| Category: | Penetration Test Issue | Spent time: | - | |
| Target version: | - |
Description
The web application allows multiple simultaneous logons from the same user from different client IP addresses. There is a potential security risk for when the same user is logged in from more than one location at the same time.
Solution provided by LGMS :
It is the web application design decision to determine if multiple simultaneous logons from the same user are allowed from the same or from different client IP addresses. If the web application does not want to allow simultaneous session logons, it must take effective actions after each new authentication event, implicitly terminating the previously available session, or asking the user (through the old, new or both sessions) about the session that must remain active.
'Affected URL:
History
#1
Updated by Najmi Pasarudin almost 3 years ago
- Status changed from New - Begin Life Cycle to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
- % Done changed from 0 to 100
Staging allow multiple login. Production already applied Single Sign-On.
#2
Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from Internal Testing to System Integration Test
#3
Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#4
Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to Pending Review
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
Production is already set as single sign-on.
UAT updated sso on 16/3/2022
#5
Updated by Nurul Athira Abdul Rahim about 2 years ago
- Status changed from Pending Review to Work Completed-End life cycle