-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CWE-613: Insufficient Session Expiration #353
Comments
The login sessions expire after 30 minutes of inactivity ( keep in mind the word inactivity, if the user still does actions will the session will not be killed until 30 minutes of inactivity). When a user is logged everything is kept on the OpenKM side, the security groups etc... at the moment user login are kept in memory and alive until the session expires ( 30 minutes inactivity ), users logout or OpenKM restart service. From administration -> users -> have the option to see alive sessions ( logged users ) Take a look at this class https://github.com/openkm/document-management-system/blob/master/src/main/java/com/openkm/servlet/admin/LoggedUsersServlet.java In this class are managed the users. You could implement, killing session from one of these classes. |
after user1 login, we delete user1 in another page as admin. But user1 is still able do anything. Such bug belong to CWE-613: Insufficient Session Expiration. we shoud expire the session or token of users when they were deleted.
The text was updated successfully, but these errors were encountered: