[jira] [Commented] (GUACAMOLE-1994) Disabling logins should invalidate current authentication tokens

Sat, 19 Oct 2024 16:14:02 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17891197#comment-17891197
 ] 

Tribhuwan Phulera commented on GUACAMOLE-1994:
----------------------------------------------

[~vnick]  Hi tested this on staging/1.6.0 branch but it still same.

What I did:
 * Created a user and granted SSH access to the machine {*}Browser 1{*}.
 * Logged in to that user account in {*}Browser 2{*}.
 * Accessed the virtual machine (VM) using that user account *Browser 2*
 * Returned to *Browser 1* (Admin session).
 * Disabled the user account and checked if the user was disconnected in 
*Browser 2* (they were not).
 * Navigated to other tabs in *Browser 2* (like Active Sessions and 
Preferences).
 * From {*}Browser 1{*}, deleted the user account.
 * Conducted another test in *Browser 2* by navigating to other screens, and 
found that the account was still accessible, which should not have been the 
case.
 * Only after logging out in *Browser 2* did the user session terminate, 
preventing further logins.

> Disabling logins should invalidate current authentication tokens
> ----------------------------------------------------------------
>
>                 Key: GUACAMOLE-1994
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1994
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole
>    Affects Versions: 1.5.5
>            Reporter: Tribhuwan Phulera
>            Priority: Minor
>
> Hi Team,
> I encountered a situation where a user's ID and password were compromised. 
> Upon identifying the issue, I attempted to prevent further incidents by 
> navigating to the Users section and checking the "Login Disabled" option. I 
> also deleted the active session of the compromised user from the Active 
> Session tab, but the sessions continued to be created repeatedly. Ultimately, 
> I had to restart the Tomcat server to completely prevent that user from 
> accessing the system and it asks to login again after Tomcat Server restart.
> This experience has led me to propose an improvement for the "Login Disabled" 
> flag or the implementation of a different feature that allows us to log out a 
> user’s current session immediately to address such scenarios effectively.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to