Hijacked https sessions to the company file

Simon Denham
Simon Denham Member Posts: 18 Reckoner Reckoner

Hello,

scenario:

userA is logged onto the hosted server with user1 credentials AND then logged into the company file with their own specific company login credentials.

When userB logs onto the hosted server with user1 credentials [given the high cost of hosted server user licenses, it is reasonable to share hosted server logins... non-concurrently of course...], userA's hosted session is terminated, and UserB hosted sessions is active AND is now logged into the company file as user1 without having to enter any company file credentials whatsoever. userB now has access to the company file with userA privileges.


How is it possible to hijack a https session with a different client?

Is it not best practice to be able to continue a https session from a different client. If tyhe session is terminated the entire login session must be torn down too.

Is Reckon stating there needs to be a 1 to 1 relationship between the hosted server credentials and the company file credentials? This is not the way it has been described and it certainly prices you way out the market. eben this would not address a fundamental security problem at the server.

I suggest you quickly recode the transport protocol management and prevent existing sessions from being terminated by new session requests and only terminate sessions from the dashboard control panel.

Unless I have missed something obvious...



Regards

Simon

Comments

  • Kris_Williams
    Kris_Williams Member Posts: 3,628 Reckon Accounts Hosted Elite Expert Reckon Accounts Hosted Expert

    Yes if you do not logout of a file another user has access to it. That is how I know that my users have not logged out. However there is no opportunity to do this using your scenario

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,418 Reckon Community Manager Community Manager

    When user B logs into the active session with the same credentials (Hosted), the system acknowledges it as the same person ie. user A and gives them control of the existing Hosted session, including access to whatever is operating in that session at the time ie. the same company file and access. 

    The reason why when user B logs in and it straight away opens to the data file with user A's user profile is because user A has not logged out of the file correctly.

    If you're going to share credentials then you'll need to instruct user A when they are finished using Hosted that they are going to File > Close Company/Log Off. When they do this and then user B logs on, it will prompt them to enter their own username and password to access the data file.


    Best practice is always to have a separate licence for any additional users.

  • Eric Murphy
    Eric Murphy Member Posts: 218 Reckoner Reckoner

    This is a non-issue.

  • Simon Denham
    Simon Denham Member Posts: 18 Reckoner Reckoner

    Hello Rav,

    User A never gets the chance to log out of the file correctly because their session is terminated without warning... Please do not push the lack of Reckon best practice session management back onto the paying user. The current behaviour means the new user needs to determine if every other user has have ended their session before logging in... this isn't workable in a small office or a team working from home.

    The problem [and it is a significant problem] is the users session is terminated without any warning to either the old or new session users.

    If the https session comes from the same computer, then to accommodate intermittent and unstable connections, it should keep the session alive. TCP accommodates this.

    In this case, a new session is getting priority over an existing connection, there is not even a simple check to determine if an existing connection is in progress. This is a security disaster. When there is a stable and active https connection, the system should not allow the existing session to be terminated without warning AND it should not allow the new sessions into the company file with the existing credentials/privileges. This behaviour is so far away from best practice, it is apparent Reckon have not considered security in its development.

    The new session should never terminate an existing session without warning.

    This is a significant security issue that is already known, and needed to be resolved yesterday.


    Regards

    Simon

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,418 Reckon Community Manager Community Manager

    Hi Simon

    I'll have to disagree with you. The root cause of the scenario you're finding yourself in is that your users are sharing the same login credentials. While this might be widely done by many users on the Hosted service, it isn't best practice.

    The session is terminated without warning is because Hosted is assuming that its the SAME user accessing the service since they are logging in with the same login credentials. The software won't determine whether its the same person on the PC or not since that licence/login is specifically for user A.

    I'm not suggesting that you can't share the login credentials as ultimately that's up to you but I'd suggest having some sort of understanding and/or arrangement between your users so that the person currently accessing the file doesn't find their session abruptly closed by someone else who attempts to access the service using the same login as the person already logged in.

    If you want each user to have the ability to work on the company file in Hosted concurrently and without interruption then they need to have their own licence.

  • This content has been removed.
  • Simon Denham
    Simon Denham Member Posts: 18 Reckoner Reckoner

    This isn't going to work, the simple fact of a user privilege escalation created by a badly implemented server login is just not supportable in the 21st century.

    I should not be able to escalate the user privileges because of an uncontrolled session termination. This is basic IT security.

    Thanks for taking the time to clarify.


    regards

    Simon

  • Eric Murphy
    Eric Murphy Member Posts: 218 Reckoner Reckoner

    You're talking about security and in the same breath state that your staff are sharing user name & passwords... How secure is that exactly?


    Mate. Just pay for another licence and write it off as a business expense like we all are.

    Or just tell old mate to give a shout or message to the first person before they login. It's simple stuff.

  • This content has been removed.