You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Akhil S Naik (JIRA)" <ji...@apache.org> on 2018/09/04 10:25:00 UTC
[jira] [Commented] (AMBARI-24590) Ambari is keeping the Session
cookie even after logout
[ https://issues.apache.org/jira/browse/AMBARI-24590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16602868#comment-16602868 ]
Akhil S Naik commented on AMBARI-24590:
---------------------------------------
reference of session replay attack : https://campus.barracuda.com/product/webapplicationfirewall/doc/49058327/session-replay-attack/
> Ambari is keeping the Session cookie even after logout
> ------------------------------------------------------
>
> Key: AMBARI-24590
> URL: https://issues.apache.org/jira/browse/AMBARI-24590
> Project: Ambari
> Issue Type: Bug
> Reporter: Akhil S Naik
> Priority: Major
> Labels: ambari-server, security-issue
> Attachments: AMBARI_SESSION_ID.png
>
>
> Ambari is keeping the session cookie in the response even after logout from ambari.
> Ambari is vulnerable to session replay attack due to this vulnerability .
> we should remove the 'AMBARISESSIONID' once the user is logged out.
> Please refer to attached screenshot.
> !AMBARI_SESSION_ID.png!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)