IBM Security Verify

 View Only
Expand all | Collapse all

Concurrent Sessions are enabled but Users are able to access application in two different browsers

  • 1.  Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 09:01 AM

    Hi,

    We have enabled the concurrent sessions limit to 1 and its working fine. But, in security audit there is one vulnerability raised.

    i.e. user Rahil access the ISAM Protected Application (App1) in IE and user logged into App1 successfully. User copy the App1 homepage. (Note: On ISAM only one session is there)

    He opened another browser (Google Chrome) and try to access App1 , He is challenged for Login --> Entered correct credentials --> Got Error Page Additional Login not allowed. 

    But, being in the same browser (Google Chrome) , User paste the copied URL (App1 homepage url) and he is successfully redirected to App1 homepage. (Note: On ISAM only one session still and session value also still same. Its not altered)

    User Rahil is able to access the App1 in both IE and Google Chrome. 


    Your comments and a way to restrict if any from ISAM side



    Thanks,
    Rahil



    ------------------------------
    Rahil Anwar
    ------------------------------


  • 2.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 09:15 AM
    Hi Rahil,

    I feel like I'm missing something here.  If ISAM is preventing the login from Chrome, how is user able to access App1 from Chrome?
    How are ISAM and App1 connected?  Is it a junction or is there some federation involved here?  Please can you describe all the WebSEAL and application instances in this scenario and how identity is flowing between them.

    Thanks... Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 09:18 AM
    ... or maybe some parts of App1 are accessible without logging in?  Have a look at the ACLs to make sure no unauthenticated access is allowed to App1 pages?  Also check to make sure browser caching is not allowing App1 pages to be visible (try a shift-reload to prevent caching)

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 4.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 09:45 AM
    Hi Rahil,

    As Jon said... I believe your App1 is not the typical WebSEAL / Junctioned Server, but an application that establishes its authenticated session via SAML20.  Can you confirm?

    For this flow - how does authentication happen at the ISAM side? (username/password)

    Have you set the maximum sessions to 1 or to displace?  And was there any customization in any of the ISAM management pages (i.e error pages)?  And if so, can you confirm if the behavior with default ISAM management pages is different).



    ------------------------------
    HANS VANDEWEGHE
    ------------------------------



  • 5.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 09:55 AM
    App1 is integrated using a standard junction based only.  No Federation or SAML for this App1.


    I cleared the cache in IE and then Google Chrome also but still the same behavior.

    uauth ACL is attached on Standard junction and Unauthenticated Users can traverse and read only.

    Verified the unauth ACL and checked the App1 homepage (Which is accessible in Google Chrome in our discussion) not attached under Unauth ACL.


    I set maximum sessions to 1 

    ------------------------------
    Rahil Anwar
    ------------------------------



  • 6.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 09:57 AM
    customized error page 38b9a41f.html

    ------------------------------
    Rahil Anwar
    ------------------------------



  • 7.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 10:15 AM
    My advice would be to open a support case because getting to the bottom of this is likely going to need view of trace log to see what exactly is going on.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 8.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 12:31 PM

    Rahil,
    Can you clarify this part of your problem description:  "being in the same browser (Google Chrome)"

    If a user successfully authenticates to WebSEAL and receives an authenticated session cookie, then opens a new browser tab and pastes in a URL to another WebSEAL protected URL, the browser tabs share memory space therefore the session cookie received in browser tab1 will be sent with the request from tab2.
    You may want to use a client side HTTP debugger such as Fiddler to verify a session cookie is sent with the request.
    Regards,
    Steve Hughes



    ------------------------------
    Steven Hughes
    ------------------------------



  • 9.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    Posted Tue January 14, 2020 09:37 PM
    Hello, 

    How many webseal server instances are there where standard junction is created for App1.

    Also session is shared across the browser tabs and some browsers also support session sharing in new window. Check this with the help of fiddler how session is managed by the browser.

    ------------------------------
    Padam Khatana
    ------------------------------



  • 10.  RE: Concurrent Sessions are enabled but Users are able to access application in two different browsers

    IBM Champion
    Posted Wed January 15, 2020 01:27 AM
    Edited by Rama Yenumula Wed January 15, 2020 01:45 AM

    Hi Rahil,  

    From your quote1: "He opened another browser (Google Chrome) and try to access App1 , He is challenged for Login --> Entered correct credentials --> Got Error Page Additional Login not allowed. "

    <RY> I believe when you entered correct credentials, browser session is created(Meant pd-s-session cookie set) and WebSEAL further sends user to error page. Assuming session is set on the second browser irrespective of error page, a logout should terminate the duplicate session if any. Could you try and add a dummy Image html tag with src pointing "/pkmslogout" in the head section or duplicate session error page? <RY>


    From your quote2:  But, being in the same browser (Google Chrome) , User paste the copied URL (App1 homepage url) and he is successfully redirected to App1 homepage. (Note: On ISAM only one session still and session value also still same. Its not altered)

    <RY> With dummy image src tag suggested above clearing browser session in Chrome, WebSEAL should prompt for login when user pastes protected App1 home page URL?. This might get you temporarily out of Sec audit <RY> 


    Regards,
    Rama



    ------------------------------
    Rama Yenumula
    ------------------------------