Invalidating session on logout
Session IDs are tokens generated by DBMSs to uniquely identify a user's (or process's) session.
DBMSs will make access decisions and execute logic based on the session ID.
Captured sessions can be reused in "replay" attacks.
This requirement limits the ability of adversaries to capture and continue to employ previously valid session IDs.
This requirement focuses on communications protection for the DBMS session rather than for the network packet.
attribute, and when I call logout on it, the session that is currently in context, rather than the one associated with the session object I just pulled from the Hash Map, is invalidated.
This has the effect of making the session inaccessible to subsequent page requests. It still continues to exist in memory until the sessiontimeout is reached.
This actually does not tackle the problem, it only secures the stored session data from further retrieval.
One of our applications was recently scanned by Security and they were able to do a ' Session Replay Attack' in our application.
The cookie does not appear to be expiring upon logout which allows a user to log back in under that session even after closing everything out.This token is provided in cookies for sending requests after auth is turned on, as in the screenshot below Once the user logs out, this token should be deleted so as to avoid token misuse.