[
https://issues.apache.org/jira/browse/AMBARI-24590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Akhil S Naik updated AMBARI-24590:
----------------------------------
Description:
Ambari is keeping the session cookie in the response even after logout from
ambari.
Ambari is vulnerable to session replay attack due to this vulnerability .
we should remove the 'AMBARISESSIONID' once the user is logged out.
Please refer to attached screenshot.
!AMBARI_SESSION_ID.png!
was:
Ambari is keeping the session cookie in the response even after logout from
ambari.
Ambari is vulnerable to session replay attack due to this vulnerability .
we should remove the 'AMBARISESSIONID' once the user is logged out.
Please refer to attached screenshot.
!Screen Shot 2018-09-04 at 3.44.36 PM.png!
> Ambari is keeping the Session cookie even after logout
> ------------------------------------------------------
>
> Key: AMBARI-24590
> URL: https://issues.apache.org/jira/browse/AMBARI-24590
> Project: Ambari
> Issue Type: Bug
> Reporter: Akhil S Naik
> Priority: Major
> Labels: ambari-server, security-issue
> Attachments: AMBARI_SESSION_ID.png, Screen Shot 2018-09-04 at 3.44.36
> PM.png
>
>
> Ambari is keeping the session cookie in the response even after logout from
> ambari.
> Ambari is vulnerable to session replay attack due to this vulnerability .
> we should remove the 'AMBARISESSIONID' once the user is logged out.
> Please refer to attached screenshot.
> !AMBARI_SESSION_ID.png!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
