Session Management-Multiple Sessions Allowed
It is possible for a user to initiate multiple concurrent sessions using just one username/password combination. If multiple users are allowed to log in to the same account simultaneously, non-repudiation is lost. The existence of multiple sessions generated from the same set of user credentials often indicates that the credentials have been compromised.
A malicious user with valid credentials could exploit this vulnerability to cause a denial of service condition. Using a script to repeatedly log into the system, the attacker could appropriate resources for each new session until no resources are available to legitimate users.
This side effect can be eliminated by terminating the previous session during the log in process.
In PHP, Following are the example steps to remove multiple session:
1. Save session id in the Database when an user logged in.
2. Check the session id each time when a request to server is sent.
3. If session id doesn’t match then destroy the current session.
1,166 total views, 1 views today