You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Akhil S Naik (JIRA)" <ji...@apache.org> on 2018/09/04 10:25:00 UTC

[jira] [Commented] (AMBARI-24590) Ambari is keeping the Session cookie even after logout

    [ https://issues.apache.org/jira/browse/AMBARI-24590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16602868#comment-16602868 ] 

Akhil S Naik commented on AMBARI-24590:
---------------------------------------

reference of  session replay attack : https://campus.barracuda.com/product/webapplicationfirewall/doc/49058327/session-replay-attack/

> Ambari is keeping the Session cookie even after logout
> ------------------------------------------------------
>
>                 Key: AMBARI-24590
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24590
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Akhil S Naik
>            Priority: Major
>              Labels: ambari-server, security-issue
>         Attachments: AMBARI_SESSION_ID.png
>
>
> Ambari is keeping the session cookie in the response even after logout from ambari.
> Ambari is vulnerable to session replay attack due to this vulnerability .
> we should remove the 'AMBARISESSIONID' once the user is logged out.
> Please refer to attached screenshot.
>  !AMBARI_SESSION_ID.png! 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)