[jira] [Commented] (AMBARI-24590) Ambari is keeping the Session cookie even after logout

Akhil S Naik (JIRA) Tue, 04 Sep 2018 03:25:11 -0700


    [ 
https://issues.apache.org/jira/browse/AMBARI-24590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16602868#comment-16602868
 ]


Akhil S Naik commented on AMBARI-24590:
---------------------------------------

reference of  session replay attack : 
https://campus.barracuda.com/product/webapplicationfirewall/doc/49058327/session-replay-attack/

> Ambari is keeping the Session cookie even after logout
> ------------------------------------------------------
>
>                 Key: AMBARI-24590
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24590
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Akhil S Naik
>            Priority: Major
>              Labels: ambari-server, security-issue
>         Attachments: AMBARI_SESSION_ID.png
>
>
> Ambari is keeping the session cookie in the response even after logout from 
> ambari.
> Ambari is vulnerable to session replay attack due to this vulnerability .
> we should remove the 'AMBARISESSIONID' once the user is logged out.
> Please refer to attached screenshot.
>  !AMBARI_SESSION_ID.png! 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (AMBARI-24590) Ambari is keeping the Session cookie even after logout

Reply via email to