This vulnerability exists because the application does not correctly invalidate a user’s session on the server once the user logs out. User sessions are still active on the server, and any requests containing the user’s session identifier will be processed successfully, just as if the user had initiated those requests. As a result, an attacker can utilize a previously used or accessible session token to enter into the application.
The user’s HTTP session on the server should be ended promptly once a logout action is completed. It should be noted that just removing the cookie from the browser will not end the server session. The session must be invalidated on the server by utilizing the HTTP container’s inherent session abandonment mechanism.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.