weixin_39838328
weixin_39838328
2020-12-26 11:00

Test Token Revocation in Spartacus. Multiple Simultaneous Sessions

Dependency: Fix available in 2005.4 and 2011.

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6363 for further details.

Deploy servers accordingly. Obtain further details from Michael

该提问来源于开源项目:SAP/spartacus

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

5条回答

  • weixin_39838328 weixin_39838328 4月前

    fyi

    点赞 评论 复制链接分享
  • weixin_39540020 weixin_39540020 4月前

    Stan said we already tested this scenario in threat modelling, do we need this still?

    点赞 评论 复制链接分享
  • weixin_39540020 weixin_39540020 4月前

    GC what's this ticket about? Maybe think about documenting if behaviors are different depending on backend.

    点赞 评论 复制链接分享
  • weixin_39838328 weixin_39838328 4月前

    This is regarding revocating session tokens for simultaneous user sessions. (same user). It's only available as of 2005.4. Given same user logins in browser A and browser B, then logging out of browser A should log out from browser B. Pending detailed testing by me and Michael.

    点赞 评论 复制链接分享
  • weixin_39838328 weixin_39838328 4月前

    It also deals with password change in browser A should invalidate browser B session. Support for this was given as mitigation for CVE ticket listed in description. This support is available after 2005.4. Final testing is needed, which will be done in the next few days.

    点赞 评论 复制链接分享

相关推荐