𝗖𝗼𝗻𝗰𝘂𝗿𝗿𝗲𝗻𝘁 𝗟𝗼𝗴𝗶𝗻 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆
Unlimited logins can hide serious business logic flaws.
A user logs in on a laptop. Seconds later, the same account logs in on a different browser. Then a mobile device. Then an API client. Everything works perfectly.
This seems fine because many apps support multiple devices. But you must ask: Should every application allow unlimited sessions?
In some systems, multiple sessions are a feature. In others, it is a flaw that attackers use to stay hidden. This is a business logic vulnerability. The code works as designed, but the design itself is weak.
The difference: • Traditional bugs exploit coding mistakes. • Business logic bugs exploit design decisions.
Think about a movie streaming service. If one subscription allows ten people to watch at once, the login system works. The business rule fails.
This applies to banking, admin panels, and SaaS products.
How to test for this:
- Log in via Browser A and keep it active.
- Open an incognito window in Browser B.
- Log in with the same credentials.
- Check if the first session still works.
- Check if you can perform sensitive actions on both.
High-security apps often enforce these rules:
- One active session per account.
- Logging out old sessions when a new login occurs.
- Controls to manage devices.
- Alerts for new logins.
If an attacker steals credentials, they can stay logged in forever if you allow unlimited sessions. They stay active while the real user stays active. Neither person notices the intruder.
Context is everything. Apps that need many sessions:
- Messaging apps.
- Social media.
- Email services.
Apps that need strict control:
- Banking systems.
- Admin dashboards.
- Healthcare platforms.
How to fix it:
- Store active session IDs in a database.
- When a new login happens, kill the old session.
- Let users see active devices and locations.
- Add a "Log out from all devices" button.
- Send email or SMS alerts for new logins.
Do not just look for code bugs like SQL injection. Look for gaps between what your app does and what your business requires.
Review your session policy today. Your biggest risk might not be broken code. It might be broken logic.