Session Timeout

Check List

Methodology

Black Box

Reusing Session IDs

Navigate to https://example.com/ and log into the AWS Management Console using AWS SSO

Keep the session idle until the configured session-timeout period is reached and you are automatically logged out of the AWS Management Console

After timeout, directly visit the AWS Access Portal URL (https://example.com/awsapps/portal) without performing any new authentication

Observe that the portal still grants access and allows re-login into AWS services without requiring a fresh SSO authentication, indicating improper session invalidation

Insufficient Session Expiration

Open Browser A (Brave) and Browser B (Firefox)

Log into the same user account on both browsers using valid credentials

In Browser A, navigate to Account Settings → Change Password

Update the password to a new value and confirm the successful password change

Switch to Browser B and refresh any authenticated page

Observe that the session remains active and no re-authentication is required

Password Change

Observe session timeout behavior and identify client-side session-clear requests (/clearSession)

Intercept outgoing requests with a proxy (Burp) and confirm /clearSession is sent periodically

Create a match-and-replace rule in the proxy to block/modify /clearSession so it no longer clears the session

Verify the session remains active and automated tests can run uninterrupted

Inspect logout flow; identify all endpoints called (/clearSession, /authservice/logout)

Confirm whether logout actually invalidates server-side sessions

White Box

Cheat Sheet

PreviousLogout Functionality NextSession Puzzling

Last updated 5 days ago