Added support for request timeout for login requests to address vulnerability to playback attacks.
Changes
if an application has expiry status enabled in config, we expect password field to contain data in the following format: [password]+[separator]+[timestamp]
since the payload is AES encrypted, we can securely transfer this string to the server and evaluate timestamp information
this assumes the timestamp is current unix timestamp which is required to assume synchronicity between client and server times.
How to test
capturing login request and replaying it to the server no longer authenticates as a valid request because the request has timed out.
Description
Added support for request timeout for login requests to address vulnerability to playback attacks.
Changes
[password]+[separator]+[timestamp]How to test