• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

getting session using burp suite professional

 
vijay jamadade
Ranch Hand
Posts: 243
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi,
we are doing penetration testing for our application. for logout i am invalidating session using session.invalidate but still penetration testing people are able to record the session id from the active session and someway they are accessing the application after logout using burp suite tool by accessing the same recorded session id.

problem hereis i am not getting why they are able to get the session for recorded session id even after logout on container. i guess session.invalidate will destroy the session on server. i am using weblogic server. is it possible?
 
vijay jamadade
Ranch Hand
Posts: 243
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
issue is i am invalidating the weblogic session using session.invalidate but still session is not getting destryoed on server. so recording session id and using tool like burp suite i am able to get inside the application with the old session.

now i found out that session destroy takes some time on server depending on the value set on admin sever for that application. i set it to 2 sec. still it is taking around 3-4 minutes to destroy it. is it that slow task?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic