[security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login

Darran Lofthouse darran.lofthouse at jboss.com
Wed Jan 30 10:46:25 EST 2013

On 01/30/2013 03:33 PM, Bruno Oliveira wrote:
> So if I'm a bank where the user account is logged in, this user has just forgot to 'logout'. Another person using his computer can just bypass the login, because the session still exists?
> Another scenario, I'm at the same network of John, running my whatever-sniffer, then is just a matter of grab the current session ID and login? Am I wrong? Because If understood correctly, after user login, even if I invoke this method for a second time, what really matters is the session ID.

Yes that is a down side of associating an authenticated identity with 
the session, that session could be hijacked.

> I'm confused.

More information about the security-dev mailing list