Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by ciphernest7 - 01.07.2026
Last edited by cbay - 02.07.2026

FS#358 - Inadequate Concurrent Sessions

Description:

The application https://admin.alwaysdata.com/login/ does not validate the number of active sessions per user, allowing multiple concurrent logins without any limitations. Additionally, the application fails to notify users when a new session is initiated from a different location or device. This issue poses significant security risks, especially in areas handling sensitive data, such as admin panels or personal user accounts.

Steps to Reproduce:

Login from Device A :

Navigate to https://admin.alwaysdata.com/login/ Enter valid credentials and log in.
Login from Device B :

Using a different device or browser (e.g., mobile phone or another computer), navigate to https://admin.alwaysdata.com/login/ Log in with the same user credentials used in Step 1.
Verify Active Sessions:

Observe that both sessions remain active simultaneously.
Note that the application does not notify the user about the new session from a different location/device.
Actual Behavior:

The application allows multiple concurrent sessions for a single user account without any limitations.
No notifications are sent to the user when a new session is initiated from a different location or device.
There is no mechanism to monitor or manage active sessions within the user account.
Expected Behavior:

The application should limit the number of active sessions per user to enhance security.
Users should receive notifications when a new session is initiated from a different location or device.
A session management page should be provided, allowing users to view and terminate active sessions.
Impact:

Non-Repudiation Risks : The lack of session notifications and limitations can lead to unauthorized access and actions that are difficult to dispute.
Increased Vulnerability : Multiple concurrent sessions increase the risk of unauthorized access, especially if one of the sessions is compromised.
Remediation:

User Notification : Notify users when a new session is initiated, especially from a different location or device, to raise awareness of active sessions.

Session Management Page : Provide users with a dedicated session management page to view and terminate active sessions for enhanced control.

IP Address Tracking and Restrictions :

Track the IP addresses associated with each session and flag any suspicious activity, such as multiple logins from different locations.
Allow users to specify trusted IP addresses or ranges, restricting session initiation to known and approved locations.

Closed by  cbay
02.07.2026 07:12
Reason for closing:  Invalid
Admin
cbay commented on 02.07.2026 07:12

Hello,

Showing or notifying new sessions might be desirable, but it's definitely not a vulnerability.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing