CWE-613: Insufficient Session Expiration

[lujiefsi]

after user1 login, we delete user1 in another page as admin. But user1 is still able do anything. Such bug belong to CWE-613: Insufficient Session Expiration. we shoud expire the session or token of users when they were deleted.

[darkman97i]

The login sessions expire after 30 minutes of inactivity ( keep in mind the word inactivity, if the user still does actions will the session will not be killed until 30 minutes of inactivity).

When a user is logged everything is kept on the OpenKM side, the security groups etc... at the moment user login are kept in memory and alive until the session expires ( 30 minutes inactivity ), users logout or OpenKM restart service.

From administration -> users -> have the option to see alive sessions ( logged users )

Take a look at this class https://github.com/openkm/document-management-system/blob/master/src/main/java/com/openkm/servlet/admin/LoggedUsersServlet.java

In this class are managed the users.
https://github.com/openkm/document-management-system/blob/master/src/main/java/com/openkm/servlet/admin/AuthServlet.java

You could implement, killing session from one of these classes.