Failure to invalidate session on logout

bulbasaur · November 20, 2024, 4:27pm

So I am pentesting a few apps that okta for signing into the application. We have reported a finding called “failure to invalidate session on logout” stating that the session remain active on logging out from the browser.

Evidence:

Capture one of the authenticated request using a proxy tool.
Logout of the application from the browser.
Go back to the proxy tool and try to replay the request.
Observe that the request still works and we are able to see response that should be visible to the authenticated user only.

Is it something that comes by default in Okta that the session remains active on the backend even after logging out from the browser? Or this is something that can be fixed? Would be grateful if someone replies for this.

andrea · November 25, 2024, 5:48pm

Do you have more information regarding the following?

What type of application is encountering this issue
How does the application currently handle logout?
Is this related to the Okta session remaining active OR the application’s own session remaining active 3
What request is being replayed that is succeeding even after the user logout?

system · December 25, 2024, 5:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
On Signout Session Token is still valid and not revoked Questions dotnet	5	3006	February 12, 2024
My Application is still accessible even after logging out of Okta Questions	11	10474	March 24, 2023
Logout from the application Questions java	5	4215	December 2, 2021
How works logout Questions	7	3725	February 7, 2024
What is the expected Okta behavior on logout? Questions	1	3734	January 18, 2024

Failure to invalidate session on logout

Related topics