Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mark V 28 posts 158 karma points
    Apr 14, 2023 @ 10:37
    Mark V
    0

    Concurrent User Sessions and User sessions not terminating after password change

    Hey,

    We've just had a pen test done on one of our sites and some issues came up that we'd like to fix but unsure how to approach.

    Concurrent Sessions Permitted

    Is it possible to prevent concurrent user login sessions? Currently the same user can log in from multiple browsers and multiple locations. Ideally a new login should terminate the previous one.


    Session not Terminated after Password Change

    Similarly it looks like if you change your password while there's other sessions it won't terminate them.

    Any suggestions on how to fix these? Or is t best just taking it straight to github?

    Cheers, Mark V

  • Huw Reddick 1929 posts 6717 karma points MVP 2x c-trib
    Apr 14, 2023 @ 14:13
    Huw Reddick
    1

    I don't know the answer to your questions, but these are not issues that require fixing, it is a preference if you want to change the normal behaviour of .Net.

    Sessions belong to clients not servers so you can't just terminate them, but you could implemented a custom solution quite easily which would force a user to re-login when they next refresh or open a new page or check if that accounts already logged in etc.

  • Huw Reddick 1929 posts 6717 karma points MVP 2x c-trib
    Sep 07, 2023 @ 14:35
    Huw Reddick
    0

    It is not an issue for github as it is not a bug or problem with Umbraco.

    To do this you need to maintain state somewhere that is accessible to your server(s). You can store a session ID in a database when the user logs in. Each web app client should hit a heartbeat url (e.g., every few minutes). The back end for the heartbeat checks the session id in the database. If it is the active one for the user, then all is good; otherwise it clears the cookie. If you are using a persistent connection to the client (websocket) then you can push a message to the client to indicate the session is no longer valid.

    If you need to be sure that no other action by the user's other session can take place once a new session has started, then you'll need to check the session (as described above) on every call. ASP.NET Core's middleware capability is perfect for this.

Please Sign in or register to post replies

Write your reply to:

Draft