You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Velmurugan Periasamy (JIRA)" <ji...@apache.org> on 2019/03/13 15:25:00 UTC
[jira] [Deleted] (RANGER-2364) [security] Admin webui - Logout does
not invalidate the session correctly
[ https://issues.apache.org/jira/browse/RANGER-2364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Velmurugan Periasamy deleted RANGER-2364:
-----------------------------------------
> [security] Admin webui - Logout does not invalidate the session correctly
> -------------------------------------------------------------------------
>
> Key: RANGER-2364
> URL: https://issues.apache.org/jira/browse/RANGER-2364
> Project: Ranger
> Issue Type: Bug
> Reporter: t oo
> Priority: Major
>
> After changing password in one browser, tester was still able to browse the application in other browser.
>
> |Logging out should clear all session state and remove or invalidate any residual cookies.|
> |It is possible to replay a request from a previous session after the “Log Out” button has been pressed and view the data|
>
> |Business Impact/Attack Scenario| | | |
> |An attacker can replay the original session information to gain access to the application after a logout has been completed.
>
>
> |
>
> |Recommendation| | | | |
> |Log out needs to be configured to completely invalidate the session (client and server-side) to prevent replay attacks.
> All protected pages need to check the authentication state and authorization role before performing any significant work, including rendering content.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)