Description

The application does not validate the number of active sessions each user has, thus a user can login more than once at the same time. Furthermore, the application does not notify the user when a session has already been initiated nor when a second one commences from a different location.

Impact

Affect the traceability and non-repudiation of the users actions.

Recommendation

The system must restrict the number of concurrent sessions that a user can establish and at the same it must notify the user when a login from a different location occurs.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⏱️ 30 minutes.

Requirements

Fixes