lin-cms-spring-boot Expire user's valid session/tokens after admin deleteing user or changing user's password

Expire user's valid session/tokens after admin deleteing user or changing user's password

Open menghaining opened this issue 11 months ago • 0 comments

Description

When the admin deletes the user or changes the user's password, the user's current valid session/token has not expired, leading to the old session/token still being valid. This would lead to CWE-613 insufficient session expire weakness.

Attack Example

admin login, user1 login;
admin delete user1 or changing user1's password to default;
user1 can still operate with the old session/token which should be expired.

Deleting user by admin

https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/java/io/github/talelin/latticy/controller/cms/AdminController.java#L71-L77

Changing password

https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/java/io/github/talelin/latticy/controller/cms/AdminController.java#L63-L69

https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/java/io/github/talelin/latticy/controller/cms/UserController.java#L125-L130

https://github.com/TaleLin/lin-cms-spring-boot/blob/3fc25bd8c10c73db2e7230809b322127eac554e3/src/main/java/io/github/talelin/latticy/service/impl/UserIdentityServiceImpl.java#L55-L61

Dec 12 '24 13:12 menghaining

lin-cms-spring-boot lin-cms-spring-boot copied to clipboard

Expire user's valid session/tokens after admin deleteing user or changing user's password

Description

Attack Example

Deleting user by admin

Changing password

lin-cms-spring-boot
lin-cms-spring-boot copied to clipboard