Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-4183

[security] ui - Simultaneous Logins

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security, ui
    • Labels:
      None

      Description

      The Airflow application is not configured to restrict the number of concurrent sessions. Concurrent sessions allow multiple users to simultaneously login to the web application with the same user credentials. The application also provides no notification when another session has been opened or when changes are made.
      Business Impact/Attack Scenario      
      In the scenario that a genuine user’s credentials are stolen, an attacker can use the user’s account toaccess information within the application. The likelihood of detecting unauthorised access is reduced as the user is not informed during login when the account was last accessed or if there were any invalid login attempts made recently.
      Recommendation        
      If possible, restrict each user account to one valid session at a time. If the web application cannot restrict concurrent logon sessions, it must take effective actions after each new authentication event, implicitly terminating the previously available session, or asking the user (through the old, new or both sessions) as to which session will remain active. As a fall back measure, notify the user that a concurrent session has been identified.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              toopt4 t oo
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: