Hello,
I report this issue active on my 4.20 release. I hope it have been fixed, please check.
Vulnerability: Broken Authentication & Session Management
We have observed that when we change "password" from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being logged out. The flows goes like this:
Broken Authentication and Session Management > Failure to Invalidate Session > On Password Change
Steps:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.
Same goes with when using two different computer systems.
1- Login from two computers at a time
2- Change password in settings from computer A.
3- Now Check computer B.
4- Your Session got "updated" in place of expiration.
Recommendations:
If Session is Updating from one Browser/Computer so other should expire first to renew session after login.
