[MAGNOLIA-7331] Concurrent Logins Supported - Magnolia admin Created: 04/Jun/18  Updated: 10/Mar/21  Resolved: 10/Mar/21

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 5.5.3
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Mark Cunningham Assignee: Unassigned
Resolution: Not an issue Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

Risk Impact

Very Low (1)

Ease Of Exploitation

Very Hard (1)

Complexity To Fix

Simple (2)

Description

It was possible to authenticate to the application more than once, from different client machines, using the same authentication credentials. One tenet of security auditing is to ensure that every action can be attributed to an individual. Concurrent logins break this security principle.

Details

The Magnolia application supports concurrent sessions with the same account.
The account named RA_CONTENT_AUTHOR was logged in the application with the Mozilla Firefox browser.
The same account was then able to login in the Google Chrome browser.
Both sessions remained active and retained their full user functionality.

Short Recommendation

Restrict users to single session per account


Generated at Mon Feb 12 04:22:50 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.