Open lujiefsi opened 1 year ago
The login sessions expire after 30 minutes of inactivity ( keep in mind the word inactivity, if the user still does actions will the session will not be killed until 30 minutes of inactivity).
When a user is logged everything is kept on the OpenKM side, the security groups etc... at the moment user login are kept in memory and alive until the session expires ( 30 minutes inactivity ), users logout or OpenKM restart service.
From administration -> users -> have the option to see alive sessions ( logged users )
Take a look at this class https://github.com/openkm/document-management-system/blob/master/src/main/java/com/openkm/servlet/admin/LoggedUsersServlet.java
In this class are managed the users. https://github.com/openkm/document-management-system/blob/master/src/main/java/com/openkm/servlet/admin/AuthServlet.java
You could implement, killing session from one of these classes.
after user1 login, we delete user1 in another page as admin. But user1 is still able do anything. Such bug belong to CWE-613: Insufficient Session Expiration. we shoud expire the session or token of users when they were deleted.