Project: Session Limit
Security risk: *Critical* 15∕25
Vulnerability: Insecure Session Management
The session limit module enables a site administrator to set a policy around
the number of active sessions users of the site may have. This is typically
set to one so that you can only be logged in once with the same user account.
In one configuration of the module, when a user logs in with another session
elsewhere already active, the module asks the user which session should be
closed before they can proceed with login. The module does not sufficiently
tokenize the list of sessions so that the user's session keys can be found
through inspection of the form.
This vulnerability is mitigated by the fact that an attacker must already be
able to intercept the contents of the HTML page to exploit the issue. That
ability to intercept may come from Cross Site Scripting. This makes a Cross
Site Scripting vulnerability worse than it would normally be.
Install the latest version:
Also see the Session Limit project page.