- Status Closed
-
Assigned To
cbay - Private
Opened by ciphernest7 - 01.07.2026
Last edited by cbay - 02.07.2026
FS#358 - Inadequate Concurrent Sessions
Description:
The application https://admin.alwaysdata.com/login/ does not validate the number of active sessions per user, allowing multiple concurrent logins without any limitations. Additionally, the application fails to notify users when a new session is initiated from a different location or device. This issue poses significant security risks, especially in areas handling sensitive data, such as admin panels or personal user accounts.
Steps to Reproduce:
Login from Device A :
Navigate to https://admin.alwaysdata.com/login/ Enter valid credentials and log in.
Login from Device B :
Using a different device or browser (e.g., mobile phone or another computer), navigate to https://admin.alwaysdata.com/login/ Log in with the same user credentials used in Step 1.
Verify Active Sessions:
Observe that both sessions remain active simultaneously.
Note that the application does not notify the user about the new session from a different location/device.
Actual Behavior:
The application allows multiple concurrent sessions for a single user account without any limitations.
No notifications are sent to the user when a new session is initiated from a different location or device.
There is no mechanism to monitor or manage active sessions within the user account.
Expected Behavior:
The application should limit the number of active sessions per user to enhance security.
Users should receive notifications when a new session is initiated from a different location or device.
A session management page should be provided, allowing users to view and terminate active sessions.
Impact:
Non-Repudiation Risks : The lack of session notifications and limitations can lead to unauthorized access and actions that are difficult to dispute.
Increased Vulnerability : Multiple concurrent sessions increase the risk of unauthorized access, especially if one of the sessions is compromised.
Remediation:
User Notification : Notify users when a new session is initiated, especially from a different location or device, to raise awareness of active sessions.
Session Management Page : Provide users with a dedicated session management page to view and terminate active sessions for enhanced control.
IP Address Tracking and Restrictions :
Track the IP addresses associated with each session and flag any suspicious activity, such as multiple logins from different locations.
Allow users to specify trusted IP addresses or ranges, restricting session initiation to known and approved locations.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Showing or notifying new sessions might be desirable, but it's definitely not a vulnerability.
Kind regards,
Cyril