V3 - Session Management
Old Session do not invalidate after logout
POC
- Login as UserA
- Intercept one of the authenticated requests and send to Burp repeater
- Logout
- Send the intercepted request in Burp Repeater again and observe the session is not validated
Impact
Low
Likelihood
Low