FS#121 : Bypass the Session Expiration in admin.alwaysdata.com

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 08.01.2025
Last edited by cbay - 08.01.2025

FS#121 - Bypass the Session Expiration in admin.alwaysdata.com

Bypass the Session Expiration in admin.alwaysdata.com

Hello Team, I hope you are doing well, while I found Bypass the Session Expiration in admin.alwaysdata.com bug steps are given below:

Steps To Reproduce:

1.Logged into the website on both of mobile phone and a laptop.
2.Then go to https://admin.alwaysdata.com/support/?status=open&status=unread in mobile phone and open a ticket to just for test.

3.Fill the form and upload any thing you just want.
4. Turned Off Wifi or mobile data in your mobile phone and click on submit button and you see that no internet connection occurs in mobile phone web browser.

5. Logout from admin.alwaysdata.com in your laptop.
6. After that, Turned On Wifi or mobile data in your mobile phone and refresh the page in the web browser of your mobile phone and you can see that you are still login in the account while session was expired from the laptop and session was bypassed in the mobile pone browser.

#Note: I tested in hackerone and portswigger website they don't have this kind of bug, their session are out while someone can logout from their account in the laptop of Pc.

Thank You,

Waleed Anwar

Closed by cbay
08.01.2025 08:05
Reason for closing: Invalid

08.01.2025: A request to reopen the task has been made. Reason for request: But Session was expired because when i was logout from laptop, but session was still available in mobile device

Comments (8)
Related Tasks (0/0)

cbay commented on 08.01.2025 08:05

Hello,

If you're not connected to the Internet, then clicking on "Logout" obivously won't work. That's not a bug.

Kind regards,
Cyril

waloodi_109 commented on 08.01.2025 15:29

You didn't understand, what i am saying sir, When user click on logout button in the laptop so session was expired, but in this case session was not expiring in mobile device, please recheck it

cbay commented on 08.01.2025 15:55

Each device has its own session, so logging out from your laptop does not log you out from your mobile.

waloodi_109 commented on 08.01.2025 16:00

But, i tested in your admin.alwaysdata.com domain, if i logout in laptop, session was expiring in mobile device also, if i am turned off the wifi or mobile data in mobile device and logout the account from the laptop, so session was logout in the laptop while just refresh the page in the mobile device, session was not expiring in mobile device, same thing i tested in hackerone and portswigger website they don't have this their session was expiring whiles wifi or mobile data is turned off.

cbay commented on 08.01.2025 16:03

Maybe your devices their cookies using some sort of synchronization, but in any case that's not a bug on our side.

waloodi_109 commented on 08.01.2025 16:09

Sir, maybe you can try it on your side, you will definitely sure about it.

waloodi_109 commented on 08.01.2025 20:25

So, it's Consider or not?

cbay commented on 09.01.2025 08:08

No.