Session Management / No Log Out Functionality
No log out functionality is a type of session management vulnerability (CWE-613) which occurs when web and API applications do not provide a mechanism for users to log out of the system. This can potentially lead to an attacker gaining access to the account of a legitimate user if their session is not terminated properly. According to OWASP Testing Guide, this type of vulnerability can occur when the application fails to properly invalidate the session when a user logs out and doesn't provide a log out function, allowing attackers to take control of the user's session.
This vulnerability has the potential to lead to critical security risks. Unauthorized access to user accounts can lead to the theft of sensitive information, manipulation of user data, or even financial losses. It is also possible for attackers to hijack user sessions and use them to bypass authentication mechanisms, thereby gaining access to an entire system.
The most important solution for this vulnerability is to ensure that applications implement a proper log out feature. This feature should invalidate the user's session and ensure that the user is logged out of the system. Additionally, developers should also ensure that session timeouts are set to a reasonable amount of time to ensure that user sessions are not left open for an extended period of time.
The following is an example of code that does not provide a log out feature and can result in the vulnerability (CVE-2018-16428):
<?php session_start(); $_SESSION['user_logged_in'] = true; ?>
This code does not provide a function to log out the user, thus potentially leading to the vulnerability.