[
https://issues.apache.org/jira/browse/RANGER-2366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Velmurugan Periasamy deleted RANGER-2366:
-----------------------------------------
> [security] Admin webui - simultaneous logins
> ---------------------------------------------
>
> Key: RANGER-2366
> URL: https://issues.apache.org/jira/browse/RANGER-2366
> Project: Ranger
> Issue Type: Bug
> Reporter: t oo
> Priority: Major
>
> |The application supports concurrent sessions, enabling an attacker who has
> compromised another user’s credentials to make use of them without risk of
> detection. Allowing simultaneous logins without any notifications/updates can
> allow an attacker to access a user’s account undetected by the latter. Having
> no notifications that a user is logged in to another location and that the
> system accepts multiple logins prevents a user from taking necessary steps to
> address the issue.|
> |The application was found to allow multiple simultaneous logins using a
> single user account. When a user account is applied to log in from multiple
> locations, neither the currently logged in user nor the new user are informed
> of this event. This has been verified by accessing the application via two
> machines using the same credentials.|
> |Business Impact/Attack Scenario| | | |
> |In the scenario that a genuine user’s credentials are stolen, an attacker
> can use the user’s account and access information within the application.
> Probability of detection of this unauthorised access is reduced as the user
> is not informed during login when the account was last accessed or if there
> were any invalid login attempts made in the recent past.|
> |Recommendation| | | | |
> |Enforce validation in the application to allow only one login per user ID at
> a time, or display Last Logged In’ and ‘Failed Login Attempt’ information
> during the login process so that users can be alerted in case of any
> unauthorized access of their accounts. Consider invalidating current user
> sessions server-side upon subsequent user login. Notification can also be
> made to the terminated session along with pertinent information such as the
> IP address of the new session holder as well as contact information for the
> site’s security administration.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
