[BUG] Session hijacking

asaunin / social-network-spring

Social Network application (spring boot data mvc security restful cors xsrf angular swagger facebook / google signin)

https://social-network-angularjs.herokuapp.com/

112 stars 51 forks source link

[BUG] Session hijacking #9

Open JayDew opened 4 years ago

JayDew commented 4 years ago

Expected Behavior

After a user is logged out, a new user can log in on the same browser page.

Actual Behavior

The session cookie will remain valid; the new user is unable to log in and will be granted access to the previous user's account. This represents a serious security issue

Steps to Reproduce the Problem

Create a new account: email@email.com pwd:email
Log-out
Log-in as m_korleone@mail.ru, pwd: 12345
The previous account will still be logged in

Possible fixes

invalidate all the cookies once a user is logged out

Specifications

Version: current master branch
Platform: Google Chrome, Ubuntu 18.04, Java 1.8

asaunin commented 4 years ago

@JayDew thank you for the detailed bug report, but unfortunately this projects is no longer supported by me. I guess if you add here: https://github.com/asaunin/social-network-spring/blob/master/api/src/main/java/org.asaunin.socialnetwork/config/SecurityConfiguration.java#L82 smth from the following it will resolve an issue:

logout()
    .clearAuthentication(true)
// or
    .deleteCookies("JSESSIONID")
// or
    .invalidateHttpSession(true)

Feel free to make a PR if it helps ;)