Description
It is possible to log in to the application from multiple
locations under the same user account simultaneously.
Impact
- Unauthorized Access: Concurrent logins make it difficult to
distinguish between legitimate and unauthorized access. An attacker
gaining access to the account can operate from a different location,
complicating detection.
- Account Compromise: If one set of credentials is compromised, the
attacker can access the account concurrently with the legitimate
user, potentially leading to unauthorized activities.
- Monitoring Challenges: Tracking user activities becomes more
challenging, making it harder to identify suspicious behavior or
potential security incidents
See also:
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#binding-the-session-id-to-other-user-properties
