t oo created RANGER-2364:
----------------------------
Summary: [security] Admin webui - Logout does not invalidate the
session correctly
Key: RANGER-2364
URL: https://issues.apache.org/jira/browse/RANGER-2364
Project: Ranger
Issue Type: Bug
Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo
After changing password in one browser, tester was still able to browse the
application in other browser.
|Logging out should clear all session state and remove or invalidate any
residual cookies.|
|It is possible to replay a request from a previous session after the “Log Out”
button has been pressed and view the data|
|Business Impact/Attack Scenario| | | |
|An attacker can replay the original session information to gain access to the
application after a logout has been completed.
|
|Recommendation| | | | |
|Log out needs to be configured to completely invalidate the session (client
and server-side) to prevent replay attacks.
All protected pages need to check the authentication state and authorization
role before performing any significant work, including rendering content.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
