Gatling Enterprise Session Management Vulnerability Allowing Extended Access After Logout

A vulnerability in Gatling Enterprise versions prior to 1.25.0 allows users to continue accessing the application after logging out, due to improper session management. The session token remains active and usable, as sessions are stateless and only invalidate when the encryption secret is changed. This issue enables removed users to retain access indefinitely, provided they keep their session token.

Impact

Exploitation of this vulnerability allows users to maintain access to the application after logout, creating a potential for unauthorized access, especially for removed users who can continue to use the application as if they were still active.

Reproduction

To reproduce this vulnerability, log into Gatling Enterprise version 1.25.0 or earlier. After logging in, use the application as normal. When ready to log out, do so. Despite logging out, the session token remains active, allowing continued access to the application. This can be verified by attempting to perform actions within the application that require an active session.

Remediation

It is recommended to invalidate the session immediately upon logout. If immediate invalidation is not possible, sessions should be made short-lived, with a mechanism to extend them in the background as needed.