Terminating User Sessions
Whenever a user logs into a web application, a session is created and maintained at the server-side. Sessions contain information about the user’s activities. As long as a session is alive, the user does not need to authenticate itself. Even when he/she had closed the webpage and is returning using the same device. That is possible when servers do not terminate the session, as the user moves from their portal or closes the browser. That is a vulnerability which a person with some technical expertise can exploit. An example illustrating the same is given below.
A user logs into a web application. A session is created upon successful authentication. That server does not terminate sessions when users leave the portal or close the browser/tab. An attacker wants to gain access to the user’s account. He infiltrates and observes the user’s communication with the web app. He obtains the URL of a payment transfer page along with other info needed to log in. The user closes the browser without logging out. The attacker then uses a software tool (like burp suite) to gain unauthorized access to the server using the URL. Then, he transfers money to another account.
The solution is to terminate user sessions as they move away from the portal or close the browser. Once a session ends, it is not possible to enter a URL and access the corresponding functionality. Authentication would be required.