CWE-613: Insufficient Session Expiration #353
Comments
|
The login sessions expire after 30 minutes of inactivity ( keep in mind the word inactivity, if the user still does actions will the session will not be killed until 30 minutes of inactivity). When a user is logged everything is kept on the OpenKM side, the security groups etc... at the moment user login are kept in memory and alive until the session expires ( 30 minutes inactivity ), users logout or OpenKM restart service. From administration -> users -> have the option to see alive sessions ( logged users ) Take a look at this class https://github.com/openkm/document-management-system/blob/master/src/main/java/com/openkm/servlet/admin/LoggedUsersServlet.java In this class are managed the users. You could implement, killing session from one of these classes. |
after user1 login, we delete user1 in another page as admin. But user1 is still able do anything. Such bug belong to CWE-613: Insufficient Session Expiration. we shoud expire the session or token of users when they were deleted.
The text was updated successfully, but these errors were encountered: