"OWASP Session Management Testing
OWASP Authentication Testing" Log in to Browser A and make sure to check 'stay logged in to this device' checkbox while logging in. From Browser B login to your account and change password Notice that Session on Browser A will remain active and does not expire. Due to this bug, there is no way for the victim to revoke access of attacker if account has been already compromised In this scenario changing the password doesn't destroys the other sessions which are logged in ... Weakness, Insufficient Session Expiration "1. We logged into the same account in two different browers.
We then changed the password in one of them.
We then noticed that our session still continues in the other browser" Proof of Concepts is attached along with this Tracker.
"OWASP Session Management Testing OWASP Authentication Testing" Log in to Browser A and make sure to check 'stay logged in to this device' checkbox while logging in. From Browser B login to your account and change password Notice that Session on Browser A will remain active and does not expire. Due to this bug, there is no way for the victim to revoke access of attacker if account has been already compromised In this scenario changing the password doesn't destroys the other sessions which are logged in ... Weakness, Insufficient Session Expiration "1. We logged into the same account in two different browers.
Estimate 1