andrewmusselman opened a new issue, #731: URL: https://github.com/apache/tooling-trusted-releases/issues/731
**ASVS References:** 7.4.1, 7.4.2 **Findings:** 7.4.1-HIGH-002, 7.4.2-01, 7.4.2-02 ### Description The application uses cookie-based sessions (`asfquart`) without any server-side session tracking. Sessions are entirely stored as signed cookies on the client, which means: - There is no way to enumerate active sessions for a user. - Logging out only clears the cookie from the current response — a previously captured cookie can still be replayed. - When a user account is disabled or deleted, there is **no mechanism** to force-terminate their active sessions. - Sessions can remain valid for up to 72 hours after account deactivation. This is the root architectural gap behind multiple ASVS 7.4.1 and 7.4.2 failures. ### Attack Scenario 1. An attacker captures a victim's session cookie (e.g., via XSS or network sniffing). 2. The victim logs out via `/auth?logout`. 3. The attacker replays the captured cookie — the server validates the signature and accepts the session. ### Affected Files - `src/asfquart/session.py` — `write()`, `read()`, `clear()` - `src/asfquart/generics.py` — logout handler - `atr/blueprints/get.py` — `committer()` decorator - `atr/blueprints/post.py` — `committer()` decorator ### Recommendation Add audit logging for sessions; related to #725 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
