[security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login
Darran Lofthouse
darran.lofthouse at jboss.com
Wed Jan 30 10:46:25 EST 2013
On 01/30/2013 03:33 PM, Bruno Oliveira wrote:
> So if I'm a bank where the user account is logged in, this user has just forgot to 'logout'. Another person using his computer can just bypass the login, because the session still exists?
>
> Another scenario, I'm at the same network of John, running my whatever-sniffer, then is just a matter of grab the current session ID and login? Am I wrong? Because If understood correctly, after user login, even if I invoke this method for a second time, what really matters is the session ID.
Yes that is a down side of associating an authenticated identity with
the session, that session could be hijacked.
>
> I'm confused.
>
>
More information about the security-dev
mailing list