The Exploit

Notes from the Front Lines of Penetration Testing

Why We Take Simultaneous Sessions Seriously on Penetration Tests

Why We Take Simultaneous Sessions Seriously on Penetration Tests
Summary

A common finding in web applications we test is ‘Application Supports Simultaneous Logins’. This finding occurs when both of the following conditions are met:

  1. The application allows for multiple sessions at the same time, from different devices, browsers, etc.
  2. The application does not alert the user to the multiple sessions through:
    • Email notification,
    • Notification inside the application, or
    • A session management page inside the application.

Essentially, this boils down to the user being allowed to have multiple sessions without a way to manage them or see other active sessions through notifications or otherwise.

What does this look like?

In practice, we look in several locations for the functionality to manage sessions, but the most common place we find it is in profile sections or settings. When these are not available, we’ll log in on two separate browsers — or on two devices — and navigate them both to the settings page, checking for notifications or other session management abilities. An example of multiple sessions without notification to the user in a popular online platform is shown below:

Multiple Sessions without User Notification
Why does this matter?

Allowing simultaneous sessions seems innocuous at first. I mean, we mostly all have multiple devices that we log in through, right? True, but the lack of insight into your account’s session management becomes a problem if your session is somehow stolen, credentials are obtained, or your account is otherwise compromised through other vulnerabilities. If multiple sessions are allowed without notification to the user, there is no way for the user to know that their account has been compromised or to terminate the active sessions that have been compromised.

Remediations

In today’s world, disallowing multiple sessions is likely not realistic due to business constraints. Most people have several devices themselves, and logging in to an application on multiple is common, so this likely needs to be a feature in your application. However, alerting the user or allowing them to view their active sessions is important so they can maintain control of their account in the event of a breach. There are several ways to do this, with varying functionality, including:

  • Showing users active sessions with details about the session
  • Allowing users to terminate specific sessions
  • Providing functionality to log out the user from all other devices
  • Combine any of the above when the account password is changed

These are all valid approaches, but the specific one you choose to implement will depend on your application’s use cases, business constraints, and design. In our Raxis One application, we provide the user both with details about their active sessions, functionality for terminating specific sessions, and a session history that includes IP Address and location details, as shown in below:

Raxis One Session Management

Raxis Administrator

Posted on

Categories:

Also by Raxis Administrator

Human Vs AI Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Penetration Testing

Tailored, expert-led penetration testing services that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.