You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
3 : Suppose (Browser A is an shared computer's browser, and you left your account logged in at that computer. Then you changed your account password from (Browser B). By getting a password reset token link Now Go to (Browser B) and change your account password.
Step 4 : When you change your account password at (Browser B) , the session at (Browser A ) should expire and the account should automatically logged out.
Step 5 : Go to (Browser B ) , and visit your account page and refresh the page.
**You will notice that even after changing the account password at (Browser B) , the session at (Browser A) didn't expired which can cause major problems. And also after that you can change user information's.
Impact
Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require re-authentication even if the user has a valid session id.
The text was updated successfully, but these errors were encountered:
Hello there
I have noticed there is (Broken Authentication and Session Management) bug in your website.
POC:
Steps:
We have to use two browser (Browser A) and (Browser B)
1 : Open (Browser A) and go to "https://key.fundrequest.io/auth/realms/fundrequest/protocol/openid-connect/auth?response_type=code&client_id=fundrequest_dev&redirect_uri=https%3A%2F%2Ffundrequest.io%2Fsso%2Flogin&state=efff0a99-79e7-4c60-a883-12ebaeb384e7&login=true&scope=openid" and login your " fundrequest" account with your valid email and password.
2 : Open (Browser B ) and (Similarly) go to "https://key.fundrequest.io/auth/realms/fundrequest/login-actions/reset-credentials?client_id=fundrequest_dev&tab_id=M58shjzspTU&response_type=code&client_id=fundrequest_dev&redirect_uri=https%3A%2F%2Ffundrequest.io%2Fsso%2Flogin&state=efff0a99-79e7-4c60-a883-12ebaeb384e7&login=true&scope=openid" and get a password reset token .
3 : Suppose (Browser A is an shared computer's browser, and you left your account logged in at that computer. Then you changed your account password from (Browser B). By getting a password reset token link Now Go to (Browser B) and change your account password.
Step 4 : When you change your account password at (Browser B) , the session at (Browser A ) should expire and the account should automatically logged out.
Step 5 : Go to (Browser B ) , and visit your account page and refresh the page.
**You will notice that even after changing the account password at (Browser B) , the session at (Browser A) didn't expired which can cause major problems. And also after that you can change user information's.
Impact
Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require re-authentication even if the user has a valid session id.
The text was updated successfully, but these errors were encountered: