Bug report - Insecure Design of frontend

[HowAboutACupOfTea]

Issue description

It is possible to bypass the log-in mechanism in the frontend of the application by copying the url of any authorized session. This allows for creating a valid session as any user by having access to the mentioned url.

Steps to reproduce the issue

1. Start the frontend and the backend
2. Log in with any user
3. Copy the url of the page which includes the user id
4. Log out
5. Open any browser at any time
6. Navigate to the previously copied url
7. You are now logged in without entering any credentials

What's the expected result?

Navigating directly to the url should automatically redirect the browser to the log-in page.

What's the actual result?

Navigating directly to the url allows using the dashboard as if a user logged in.

Insecure layer

Frontend

Possible solutions

• Automatically redirect to log-in page when navigating directly to a url containing an user id.
• Only allow navigation to the logged-in home page from the log-in page.