I have a requirement to logout the user when he resets his password through password reset link received in email.The application does not properly invalidate a user’s session on the server after the user initiates a logout.A user’s session remains active even after the logout is initiated. This allows requests to be sent to the server with the user’s session ID, and the server will successfully process the request as though the user is still logged in.An unauthenticated attacker can steal user sessions to send requests to the server as that user until the cookie times out, allowing the attacker to impersonate the victim.Please let me know how to achieve this feature in Kentico 12 portal engine
↧