Session does not expire on logout in plankanban/planka
Aug 27th 2022
Existing session is not invalidated on actions like logout. The fact that the session key is valid for
1 year makes it more dangerous.
Proof of Concept
- Login to planka
- Record the session token
- Replay an authenticated request with the recorded token. The actions will still be executed.
The session token is valid for a year. If an attacker has access to the session token then, the attacker can use it to access user account for an year.