we are doing penetration testing for our application. for logout i am invalidating session using session.invalidate but still penetration testing people are able to record the session id from the active session and someway they are accessing the application after logout using burp suite tool by accessing the same recorded session id.
problem hereis i am not getting why they are able to get the session for recorded session id even after logout on container. i guess session.invalidate will destroy the session on server. i am using weblogic server. is it possible?
Regards, Vijay Jamadade.
( Nothing is Impossible.)
Joined: May 12, 2008
issue is i am invalidating the weblogic session using session.invalidate but still session is not getting destryoed on server. so recording session id and using tool like burp suite i am able to get inside the application with the old session.
now i found out that session destroy takes some time on server depending on the value set on admin sever for that application. i set it to 2 sec. still it is taking around 3-4 minutes to destroy it. is it that slow task?