0

I was asked to address "Simultaneous Session Logons" problem in AEM (https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Simultaneous_Session_Logons). I'm looking for a ready solution in OAK for preventing a user account being logged multiple times at once.

I found, that user token are created under "/home/users/c/[user_hash]/.tokens" path, so I was thinking about making a listener that would remove old token if new is created, but I cannot believe that OAK isn't allowing to set up this in some simple way.

I've checked Oak's website but couldn't find anything on that topic. Also searching on google is not helping.

If you have any idea if this can be done in another way than with the mentioned listener, then please share it with me. If you think, that this shouldn't be done, because of some Oak's mechanisms that I might be not aware of, then please warn me.

Julian Reschke
  • 40,156
  • 8
  • 95
  • 98
A. Wolk
  • 1
  • Why would you want to forbid that? What's the use case? – Julian Reschke May 28 '18 at 17:01
  • @JulianReschke - our client made security audit and this audit points "Simultaneous Session Logons" in the AEM Author instance as a threat. I was asked to give my opinion and eventually estimation for a fix for that. – A. Wolk May 29 '18 at 09:23
  • Why is it a thread? – Julian Reschke May 29 '18 at 10:11
  • Autidioning company suggests that this "vulnerability" could allow an attacker to remain undetected when using compromised cedentials. They say that it is preferable if the application would terminate other user sessions when user is successfully authenticated. It could help user to detect that someone is using their account. – A. Wolk May 29 '18 at 10:52
  • 1
    @A.Wolk the OWASP site does not recommend automatically dropping the user's session. It suggests that the user be alerted of other activity and _provide user features to remotely terminate sessions manually_. – toniedzwiedz May 29 '18 at 14:23

0 Answers0