Hey, I've found a session management in app.passit.io, which can lead to session takeover!
When the password of an account is changed from a session, other sessions doesn't expire!
1) we need to use two different browsers ex:- 1. chrome 2. safari
2) get login in both the browsers 3) after get login into both the browsers 4) change the password 5) after password change (attacker changes user info ) 6) lets check on the other browser that user info is changed or not 7) you can see user info is changed user info changed even after password change and session is still alive.
Please let me know if you have any query.
Hope you fix this ASAP
Thank You Alpha66
It is recommended that the session must have to be expire on server side when the user update his password from the application.