Invalidating active session if a user logs in from another locationInvalidating active session if a user logs in from another locationhttps://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1231074532026-04-27T16:52:31Z2026-04-27T16:52:31ZRE: RE: Invalidating active session if a user logs in from another locationJan Tošovskýhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1232006632025-01-22T14:14:49Z2025-01-22T14:14:49Z<p>This indeed works as expected. It needs to be complemented by
enabling tracking active sessions, which I remember was discouraged
because of performance, but our community is not so large so it is acceptable.</p>Jan Tošovský2025-01-22T14:14:49ZRE: Invalidating active session if a user logs in from another locationZsigmond Rabhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1231105502025-01-22T14:11:18Z2024-12-06T08:39:52Z<p>Hi Jan,</p>
<p>Doesn't setting the <em>auth.simultaneous.logins</em> property to
<em>false</em> covers this request?</p>
<p>See https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/portal.properties#L3480</p>
<p>Regards,<br> Zsigmond</p>Zsigmond Rab2024-12-06T08:39:52ZInvalidating active session if a user logs in from another locationJan Tošovskýhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1231074522024-12-03T11:40:31Z2024-12-03T11:40:31Z<p>
<strong>Description</strong>
<br> It is possible to log in to the application from multiple
locations under the same user account simultaneously.</p>
<p>
<strong>Impact</strong>
</p>
<ul>
<li>Unauthorized Access: Concurrent logins make it difficult to
distinguish between legitimate and unauthorized access. An attacker
gaining access to the account can operate from a different location,
complicating detection.</li>
<li>Account Compromise: If one set of credentials is compromised, the
attacker can access the account concurrently with the legitimate
user, potentially leading to unauthorized activities.</li>
<li>Monitoring Challenges: Tracking user activities becomes more
challenging, making it harder to identify suspicious behavior or
potential security incidents</li>
</ul>
<p>See also:</p>
<p>https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#simultaneous-session-logons<br> https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#binding-the-session-id-to-other-user-properties</p>
<p> </p>Jan Tošovský2024-12-03T11:40:31Z