t oo created AIRFLOW-4183:
-----------------------------
Summary: [security] ui - Simultaneous Logins
Key: AIRFLOW-4183
URL: https://issues.apache.org/jira/browse/AIRFLOW-4183
Project: Apache Airflow
Issue Type: Improvement
Components: security, ui
Reporter: t oo
|The Airflow application is not configured to restrict the number of concurrent
sessions. Concurrent sessions allow multiple users to simultaneously login to
the web application with the same user credentials. The application also
provides no notification when another session has been opened or when changes
are made.|
|Business Impact/Attack Scenario| | | |
|In the scenario that a genuine user’s credentials are stolen, an attacker can
use the user’s account toaccess information within the application. The
likelihood of detecting unauthorised access is reduced as the user is not
informed during login when the account was last accessed or if there were any
invalid login attempts made recently.|
|Recommendation| | | | |
|If possible, restrict each user account to one valid session at a time. If the
web application cannot restrict concurrent logon sessions, it must take
effective actions after each new authentication event, implicitly terminating
the previously available session, or asking the user (through the old, new or
both sessions) as to which session will remain active. As a fall back measure,
notify the user that a concurrent session has been identified.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
