Improper session management — Session does not expire after logout

just of fun

I hope all are good. I am back with my recent finding. I recently helped to fix this bug and I get the crypto bounty $$$.

Summary#

I recently targeted a private bug bounty program. I take 3 days to understand the application logic. After understanding the logic of the application. I try to create 5 more accounts.

After I log in my first 2 accounts one in chrome and another one in the firefox browser. Here I see the user_token parameter in the cookie. I just take note of cookies and log out. I repeat the above process 3 more times. Every time you login into your accounts your user token is new.

I capture my all requests in the Burp suite and I just manipulate with user_token parameter. I change my old user_token in the Burp repeater. I show the same result as my new user_token.

I confirm this is vulnerable to improper session handling.

Steps to Reproduce:

Note: I observed user_token remaining valid even 72 hours after being issued.

1. Login ACCOUNT A with valid credentials and capture the traffic with burp suite or OWASP ZAP
2. Save the account A user_token for future use.
3. Log Out the account A and again login account A. this time your user_token is new. Every time you log in your user_tokens are new. Your new user_token also save for future use.
4. Login ACCOUNT B With valid Credentials and capture the traffic with burp suite or OWASP ZAP
5. Save the Account B user_token for future use.
6. Then you go to https://example.com/profile and capture the traffic with proxy and send it to the repeater.
7. Change the Account A old user_token your private information are leaked (email id, phone number, login, name, gender, etc..,).

Thank you.

😁😁😁😁😁😁