Failure to Invalidate Session
Overview
Description
HTTP is a stateless protocol, and it will not save any state of the user. Each HTTP request should contain the state of the user. ** Session** is a data structure used to store the state of each user, and it is stored on the server as well as in the cookies of a web browser. Whenever you hit any URL, the browser will send session cookies associated with that website along with the same request.
This session token must be unique for each user and should expire on logout or after a specific period.
Sometimes, Due to improper session management, the server fails to Invalidate session, Which can be further used by attackers.
Scenarios of Failure to Invalidate Session
1. On Logout (Client and Server-Side)
- Websites may fail to Invalidate session even when users click on the
Logout
button. - The website will only redirect the user to the login page, but the session cookies will be there.
- If, after logout, user press Back Button, or enter URL of the Dashboard page, He will be treated as an authenticated user.
2. On Logout (Server-Side Only)
- On click of the
Logout
button, Websites may Invalidate session on the client-side (in browser) but fail to Invalidate session at the server. - This will remove cookies from the browser, but if that session token is somehow leaked previously, an attacker can still use the same session token and access the victim's account.
3. On Password Reset and Change Concurrent Sessions On Logout
- On password change, the website should invalidate all active sessions.
- At least, the website should show a list of active sessions and ask the user whether to invalidate them.
4. On Email Change
- If the email account of the user gets compromised, the attacker can access any account associated with that email.
- The victim can change email to protect the account from the hacker.
- On the Email Change website should invalidate all other session, so that the hacker will not be able to access the account.
6. Long Timeout
- After a specific period, the session should expire and ask the user to re-login.
- This will add extra security to the user's account.
- How much time limit should be given to session is purely depends on the application.
- Critical Applications like online banking portals should invalidate session after a few minutes only.
Impact
- This has no high impact, But it is good practice to invalidate sessions on actions like password change, logout, 2FA activation, etc.
- Leaked session tokens can be used by an attacker to access unauthorized accounts.
Prevention
- Invalidate sessions on actions like password change, logout, 2FA activation, etc.