Concurrent User Sessions and User sessions not terminating after password change
Hey,
We've just had a pen test done on one of our sites and some issues came up that we'd like to fix but unsure how to approach.
Concurrent Sessions Permitted
Is it possible to prevent concurrent user login sessions? Currently the same user can log in from multiple browsers and multiple locations. Ideally a new login should terminate the previous one.
Session not Terminated after Password Change
Similarly it looks like if you change your password while there's other sessions it won't terminate them.
Any suggestions on how to fix these? Or is t best just taking it straight to github?
I don't know the answer to your questions, but these are not issues that require fixing, it is a preference if you want to change the normal behaviour of .Net.
Sessions belong to clients not servers so you can't just terminate them, but you could implemented a custom solution quite easily which would force a user to re-login when they next refresh or open a new page or check if that accounts already logged in etc.
It is not an issue for github as it is not a bug or problem with Umbraco.
To do this you need to maintain state somewhere that is accessible to your server(s). You can store a session ID in a database when the user logs in. Each web app client should hit a heartbeat url (e.g., every few minutes). The back end for the heartbeat checks the session id in the database. If it is the active one for the user, then all is good; otherwise it clears the cookie. If you are using a persistent connection to the client (websocket) then you can push a message to the client to indicate the session is no longer valid.
If you need to be sure that no other action by the user's other session can take place once a new session has started, then you'll need to check the session (as described above) on every call. ASP.NET Core's middleware capability is perfect for this.
Concurrent User Sessions and User sessions not terminating after password change
Hey,
We've just had a pen test done on one of our sites and some issues came up that we'd like to fix but unsure how to approach.
Concurrent Sessions Permitted
Is it possible to prevent concurrent user login sessions? Currently the same user can log in from multiple browsers and multiple locations. Ideally a new login should terminate the previous one.
Session not Terminated after Password Change
Similarly it looks like if you change your password while there's other sessions it won't terminate them.
Any suggestions on how to fix these? Or is t best just taking it straight to github?
Cheers, Mark V
I don't know the answer to your questions, but these are not issues that require fixing, it is a preference if you want to change the normal behaviour of .Net.
Sessions belong to clients not servers so you can't just terminate them, but you could implemented a custom solution quite easily which would force a user to re-login when they next refresh or open a new page or check if that accounts already logged in etc.
It is not an issue for github as it is not a bug or problem with Umbraco.
To do this you need to maintain state somewhere that is accessible to your server(s). You can store a session ID in a database when the user logs in. Each web app client should hit a heartbeat url (e.g., every few minutes). The back end for the heartbeat checks the session id in the database. If it is the active one for the user, then all is good; otherwise it clears the cookie. If you are using a persistent connection to the client (websocket) then you can push a message to the client to indicate the session is no longer valid.
If you need to be sure that no other action by the user's other session can take place once a new session has started, then you'll need to check the session (as described above) on every call. ASP.NET Core's middleware capability is perfect for this.
is working on a reply...