Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logging in with passkeys bypasses maximum session restriction #16685

Open
ziqin opened this issue Mar 1, 2025 · 0 comments
Open

Logging in with passkeys bypasses maximum session restriction #16685

ziqin opened this issue Mar 1, 2025 · 0 comments
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@ziqin
Copy link

ziqin commented Mar 1, 2025
edited
Loading

Describe the bug

In a Spring-built website with maximum session restriction, a user logging in with a passkey can bypass the maximum session restriction.

The above phenomenon is observed in Spring Security 6.4.3.

To Reproduce

  1. Use spring initializr to generate a new Spring project with “Spring Web” and “Spring Security” dependencies. Then manually add the webauthn4j-core dependency.
  2. Configure a SecurityFilterChain with WebAuthnConfigurer and SessionManagementConfigurer, setting maximumSession(1). Then, run the project.
  3. Visit http://localhost:8080/webauthn/register in a non-private browser window, sign in as user with username + password, and register a passkey.
  4. Visit http://localhost:8080/ in an “InPrivate” mode window, sign in as user with the registered passkey.
  5. Go back to the non-private window and refresh the authenticated page, we can observe that the user is not signed out by Spring Security.

Expected behavior

After the user started the second session in Step 4, he/she should be signed out when going back to the first session to refresh an authenticated page in Step 5.

Sample

The code of interest is listed below.

@SpringBootApplication
public class WebauthnSessionApplication {

    public static void main(String[] args) {
        SpringApplication.run(WebauthnSessionApplication.class, args);
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .sessionManagement(session -> session
                        .maximumSessions(1)
                        .expiredUrl("/login?logout"))
                .formLogin(Customizer.withDefaults())
                .webAuthn(webAuthn -> webAuthn
                        .rpId("localhost")
                        .rpName("Demo")
                        .allowedOrigins("http://localhost:8080"))
                .authorizeHttpRequests(authz -> authz
                        .anyRequest().authenticated());
        return http.build();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
                .username("user")
                .password("password")
                .roles("USER")
                .build());
    }
}

A runnable project is uploaded as webauthn-session.tar.gz.

BTW

I also noticed that when logging in with a passkey, the session cookie JSESSIONID is not changed, unlike logging in with a password. Maybe this phenomenon is also related to the maximum session restriction, as both of them are related to session management. Should I create a new issue for it? Or, is it a vulnerability about session fixation attach protection? If I'm not supposed to post it here, feel free to delete this issue and ask me to recreate a new issue without this section.
@ziqin ziqin added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ziqin