[
https://issues.apache.org/jira/browse/RANGER-2364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Velmurugan Periasamy deleted RANGER-2364:
-----------------------------------------
> [security] Admin webui - Logout does not invalidate the session correctly
> -------------------------------------------------------------------------
>
> Key: RANGER-2364
> URL: https://issues.apache.org/jira/browse/RANGER-2364
> Project: Ranger
> Issue Type: Bug
> Reporter: t oo
> Priority: Major
>
> After changing password in one browser, tester was still able to browse the
> application in other browser.
>
> |Logging out should clear all session state and remove or invalidate any
> residual cookies.|
> |It is possible to replay a request from a previous session after the “Log
> Out” button has been pressed and view the data|
>
> |Business Impact/Attack Scenario| | | |
> |An attacker can replay the original session information to gain access to
> the application after a logout has been completed.
>
>
> |
>
> |Recommendation| | | | |
> |Log out needs to be configured to completely invalidate the session (client
> and server-side) to prevent replay attacks.
> All protected pages need to check the authentication state and authorization
> role before performing any significant work, including rendering content.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
