Details
-
Bug
-
Resolution: Not an issue
-
Neutral
-
None
-
5.5.3
-
None
-
None
Description
Risk Impact
Very Low (1)
Ease Of Exploitation
Very Hard (1)
Complexity To Fix
Simple (2)
Description
It was possible to authenticate to the application more than once, from different client machines, using the same authentication credentials. One tenet of security auditing is to ensure that every action can be attributed to an individual. Concurrent logins break this security principle.
Details
The Magnolia application supports concurrent sessions with the same account.
The account named RA_CONTENT_AUTHOR was logged in the application with the Mozilla Firefox browser.
The same account was then able to login in the Google Chrome browser.
Both sessions remained active and retained their full user functionality.
Short Recommendation
Restrict users to single session per account
Checklists
Acceptance criteria