Re: [security-dev] PLINK-84 - Login can be bypassed with any user after a first successful login
On 01/30/2013 03:33 PM, Bruno Oliveira wrote:
So if I'm a bank where the user account is logged in, this user
has just forgot to 'logout'. Another person using his computer can just bypass the
login, because the session still exists?
Another scenario, I'm at the same network of John, running my whatever-sniffer, then
is just a matter of grab the current session ID and login? Am I wrong? Because If
understood correctly, after user login, even if I invoke this method for a second time,
what really matters is the session ID.
Yes that is a down side of associating an authenticated identity with
the session, that session could be hijacked.
I'm confused.