๐ Bug Bounty Series
Simultaneous Login Allowed โ
Concurrent Sessions Bug Bounty Guide 2026
Simultaneous Login allows attackers to authenticate alongside the legitimate user โ undetected, no notification, no forced logout. Both sessions run in parallel and the victim has no signal that their account is being accessed by someone else.
๐ Table of Contents
๐ What is Simultaneous Login (Concurrent Sessions)?
Simultaneous Login occurs when an application allows multiple active authenticated sessions for the same user account at the same time โ without any notification, restriction, or forced logout. An attacker who obtains credentials can log in while the victim is still active, and both sessions run in parallel. The victim has absolutely no signal that a second session exists.
Simultaneous Login โ attacker and victim both authenticated concurrently; victim receives no notification
๐ก Core Concept
Simultaneous Login is a silent account compromise. The attacker does not need to kick the victim out. They log in alongside them. Both sessions are valid, both return the same user’s data. The victim sees nothing unusual โ no notification, no forced logout, no “someone else signed in” banner. The compromise is invisible until a server-side audit is performed.
โก 6 Scenarios Where Simultaneous Login Is Exploited
๐ Credential Theft Persistence
Attacker logs in with stolen credentials while victim is already active โ both sessions valid, victim sees nothing
MEDIUM
๐ Admin Concurrent Takeover
Attacker and admin simultaneously authenticated โ attacker reads and modifies app while admin is unaware
HIGH
๐ Session Replay Concurrency
Stolen/replayed session token used concurrently with the legitimate user’s own active session
MEDIUM
๐ฑ Unlimited Device Logins
No limit on how many devices can be logged in โ 10+ concurrent sessions possible without restriction
MEDIUM
๐ API + Web Concurrent
Web session and API token both active simultaneously โ different attack surfaces, both authenticated
MEDIUM
๐ฆ Banking Concurrent Session
Financial app allows concurrent sessions โ attacker reads statements while customer views same account
HIGH
๐ Simultaneous Login โ Quick Reference Table
| Field | Details |
|---|---|
| Vulnerability | Simultaneous Login Allowed (Concurrent Sessions) |
| Also Known As | Concurrent Session Control Missing, Multiple Active Sessions, No Session Limit |
| OWASP | A07:2021 โ Identification and Authentication Failures | WSTG-SESS-04 |
| CVE Score | 3.5 โ 6.5 (context-dependent) |
| Severity | Low โ Medium (High for admin, banking, or healthcare โ no notification) |
| Root Cause | No per-user session count limit; JWT issuance without revoking previous tokens; no notification hook |
| Where to Check | Login endpoint (two browsers); JWT multiple issuance; account settings for session management page |
| Best Tools | Two browsers (Chrome + Firefox or Incognito), Burp Suite Repeater, Python requests, curl |
| Practice Labs | PortSwigger Authentication Labs, HackTheBox, TryHackMe, OWASP WebGoat |
| Difficulty | Beginner โ requires only two browsers and valid credentials; no exploit technique needed |
| Key Test | Two separate sessions both return 200 on /api/me with same user_id simultaneously |
| Related Vulns | Session Hijacking, Missing Session Timeout, Insecure Logout |
๐ง Manual Testing for Simultaneous Login
๐ The Test Is Simple
Open two different browsers. Log in with the same credentials in both. Confirm both sessions return 200 on an authenticated endpoint with the same user_id. No complex exploit needed โ the vulnerability proves itself.
Phase 1 โ Core Two-Session Test
Quickest Confirmation โ Start Here
1
Login in Browser A โ Capture Session Token
Open Chrome โ login with valid credentials โ capture session token in Burp HTTP History or DevTools โ note it as SESSION_A.
2
Login in Browser B โ Capture Second Session Token
Open Firefox or Chrome Incognito โ login with the SAME credentials โ capture as SESSION_B. Confirm SESSION_A โ SESSION_B (two genuinely different tokens).
3
Confirm Both Active Simultaneously โ The Proof
Call
GET /api/me with SESSION_A โ note user_id. Call GET /api/me with SESSION_B โ same user_id. Both 200 OK with same user = CONFIRMED.4
Check for Notification
Check: was Browser A notified of the new login? Was an email sent? Is there a banner in the app? If no notification of any kind โ this is an additional finding to include in the report.
Core Concurrent Session Test
# Step 1: Login and save Session A curl -c session_a.txt -X POST https://target.com/api/login \ -H 'Content-Type: application/json' \ -d '{"email":"test@test.com","password":"test123"}' # Step 2: Login again and save Session B (same credentials) curl -c session_b.txt -X POST https://target.com/api/login \ -H 'Content-Type: application/json' \ -d '{"email":"test@test.com","password":"test123"}' # Step 3: Test both simultaneously echo "=== Session A ===" curl -b session_a.txt https://target.com/api/me echo "=== Session B ===" curl -b session_b.txt https://target.com/api/me # SECURE: Session A returns 401 after Session B login # VULNERABLE: Both return 200 with same user_id
Phase 2 โ Mass Session Limit Test
Create 5 Sessions โ Test All Active
# Create 5 sessions in a loop for i in 1 2 3 4 5; do curl -c "session_${i}.txt" -s -o /dev/null \ -X POST https://target.com/api/login \ -H 'Content-Type: application/json' \ -d '{"email":"test@test.com","password":"test123"}' echo "Created session $i" done # Test all 5 simultaneously for i in 1 2 3 4 5; do code=$(curl -b "session_${i}.txt" -s -o /dev/null -w '%{http_code}' \ https://target.com/api/me) echo "Session $i: HTTP $code" done # SECURE: Only 1 session active (or limited to N) # VULNERABLE: All 5 return 200 โ no session limit
Phase 3 โ JWT Concurrent Token Test
Multiple JWT Issuance โ Concurrent Validity
# Issue JWT_1 JWT_1=$(curl -s -X POST https://target.com/api/auth/login \ -d '{"email":"test@test.com","password":"test123"}' \ | python3 -c "import json,sys; print(json.load(sys.stdin)['access_token'])") # Issue JWT_2 from same account JWT_2=$(curl -s -X POST https://target.com/api/auth/login \ -d '{"email":"test@test.com","password":"test123"}' \ | python3 -c "import json,sys; print(json.load(sys.stdin)['access_token'])") # Test JWT_1 (should be invalidated when JWT_2 was issued) curl -H "Authorization: Bearer $JWT_1" https://target.com/api/me # Test JWT_2 curl -H "Authorization: Bearer $JWT_2" https://target.com/api/me # SECURE: JWT_1 returns 401 after JWT_2 issued (token versioning) # VULNERABLE: Both JWTs return 200 โ no JWT concurrency control
๐ค Tools for Simultaneous Login Testing
๐ Two Browsers
Chrome + Firefox, or Chrome + Incognito. Cleanest way to prove genuinely separate concurrent sessions.
Browser A: Chrome normal โ Browser B: Firefox or Incognito
๐ฌ Burp Repeater
Two Repeater tabs โ one with SESSION_A, one with SESSION_B. Send both simultaneously, compare responses.
Ctrl+R โ Tab 1: SESSION_A, Tab 2: SESSION_B โ Send both
๐ curl
Login twice with -c flags, test both with -b flags. Simplest command-line proof.
curl -c sess_a.txt /login ; curl -c sess_b.txt /login
๐ Python
Automate creating N sessions and testing all simultaneously. Shows no session limit exists.
requests.Session() ร N โ all login โ all test /api/me
๐ฅ๏ธ DevTools
Check Application โ Cookies in both browsers. Confirm different session values in both.
F12 โ Application โ Cookies โ compare session values
๐ง Email Check
After second login, check the account email for any new-login notification. Absence = missing alert.
Check inbox โ no email = missing login notification finding
๐ฅ Burp Suite โ Simultaneous Login Guide
1
Capture SESSION_A in HTTP History
Login in Chrome with Burp proxy โ HTTP History โ note
Cookie: session=SESSION_A in any authenticated request.2
Open Incognito โ Login Again for SESSION_B
Open Chrome Incognito (also proxied through Burp) โ login again โ HTTP History โ note
Cookie: session=SESSION_B. Verify SESSION_B โ SESSION_A.3
Open Two Repeater Tabs โ Test Simultaneously
Tab 1: GET /api/me with SESSION_A โ Send โ note user_id. Tab 2: GET /api/me with SESSION_B โ Send โ same user_id. Both 200 = confirmed.
4
Check for Session Management API Endpoints
In Burp Scanner / manual, test: GET /api/account/sessions, GET /api/sessions, GET /settings/security. If any return a list, check if both sessions appear. If no endpoint exists โ report that too.
๐ฃ Advanced Techniques
Admin Concurrent Session โ Highest Impact
Admin Concurrent Session โ Escalated Severity
# If admin credentials are obtained (via phishing, breach, etc.) # Test concurrent session specifically for admin account # Attacker session: curl -c attacker_admin.txt -X POST https://target.com/api/login \ -d '{"email":"admin@target.com","password":"Admin123!"}' # Verify admin access via attacker session: curl -b attacker_admin.txt https://target.com/api/admin/users # 200 OK โ attacker has full admin access # Meanwhile real admin is still logged in with their own session # BOTH sessions are valid simultaneously # Admin has no notification, no forced logout, no awareness # Severity: HIGH (full app control, completely silent)
JWT Concurrent Access โ Token Version Bypass
JWT No Token Versioning โ Permanent Concurrent Access
# Issue JWT_OLD at time T1 # User continues using app with JWT_OLD # Attacker later obtains credentials โ issues JWT_NEW at T2 # JWT_OLD remains valid (no token version increment) # Test: JWT_OLD still works after JWT_NEW issued? curl -H "Authorization: Bearer JWT_OLD" https://target.com/api/me # 200 OK โ JWT_OLD still valid โ concurrent JWT access # Secure fix: maintain token_version per user # Every new login: user.token_version++ # Every JWT validation: reject if jwt.version < user.token_version
Credential Stuffing Persistence via Concurrent Sessions
Credential Stuffing Stays Undetected
# Without concurrent session limits: # 1. Credential stuffing attack runs โ tests thousands of accounts # 2. Valid credentials found โ attacker logs in # 3. Victim is ALREADY logged in (their existing session) # 4. No account lockout triggered (attacker got it right first try) # 5. No notification sent (no concurrent session alert) # 6. Both sessions valid indefinitely # 7. Victim has zero indication of compromise # 8. Attacker monitors victim's activity silently for days # # This is why concurrent session control matters: # It ensures that at least the victim gets kicked out or notified # forcing a detection event when credentials are stolen
๐๏ธ Session Enforcement Models
Single Session (Strict)
Only one active session per user. New login invalidates all previous sessions. User must re-authenticate on each new device. Best for banking, healthcare, admin panels.
Most Secure
Session Limit (N max)
Allow up to N sessions (e.g., 3). Oldest invalidated when limit exceeded. Balances multi-device support with security. Good for SaaS and multi-device apps.
Good Balance
Notify + Allow
Multiple sessions allowed but email/push notification sent for every new login from new IP or device. User can investigate and revoke. Good for consumer apps.
Acceptable
No Control (Default)
Unlimited concurrent sessions, no notification, no session management dashboard. This is what most apps have by default โ and what we are testing for.
VULNERABLE
๐ ๏ธ Framework Fix Reference
| Framework | Default (Vulnerable) | Secure Fix |
|---|---|---|
| Node/Express | Sessions stored without per-user limit | On login: DELETE all sessions WHERE user_id=?, then create new session |
| Django | Default allows multiple concurrent logins | django-user-sessions โ set MAX_SESSION_COUNT = 1 |
| Laravel | Auth::login() keeps all previous sessions | session()->invalidateOthers() after login |
| Spring Boot | No concurrent session limit by default | maximumSessions(1) in HttpSecurity session management config |
| PHP | session_start() creates new session each time | Track active_sessions in DB; DELETE old ones on new login |
| JWT | Multiple JWTs valid simultaneously | Maintain token_version per user; increment on login; reject old version |
| Redis | Sessions stored without per-user tracking | KEYS session:userid:* โ DEL all โ create new on login |
๐ Real Simultaneous Login Bug Chains
Credential Theft + Concurrent Session + No Notification = Silent Takeover
Attacker obtains credentials โ logs in via concurrent session โ victim continues normal use โ no notification sent โ attacker exfiltrates data for days completely undetected
MEDIUM ๐ฐ
Concurrent Admin Session โ Full App Control While Admin Unaware
Admin credentials obtained โ attacker logs in alongside real admin โ both admin sessions valid โ attacker reads all users, modifies settings, downloads data โ real admin sees nothing
HIGH ๐ฐ
Concurrent Session + Missing Timeout = Days of Persistent Access
Concurrent sessions allowed + no idle timeout โ attacker’s session active for 7+ days โ victim changes password but attacker’s token never expires โ indefinite access
HIGH ๐ฐ
JWT Concurrent Access โ Token Version Never Incremented
Attacker obtains JWT_OLD โ user logs in again creating JWT_NEW โ JWT_OLD still valid (no version control) โ both tokens authenticate simultaneously forever
MEDIUM ๐ฐ
Concurrent Session + IDOR = Accelerated Mass Data Breach
Stolen credentials โ concurrent session established โ IDOR vulnerability exploited from attacker session โ enumerate all user IDs โ mass PII download
HIGH ๐ฐ
Banking Concurrent Session โ Financial Fraud While Customer Watches
Financial app allows concurrent sessions โ attacker logs in while customer views balance โ attacker initiates transfers โ both sessions active โ customer may see changes but does not know why
HIGH ๐ฐ
๐ก๏ธ Defense Against Simultaneous Login
โ
The Core Fix
Choose an enforcement model and implement it server-side. At minimum: send a login notification email/push for every new login from a new IP or device. For sensitive apps: enforce single-session and invalidate previous tokens on new login. Always provide users with an “Active Sessions” management page.
Node.js โ Single Session Enforcement
// On every login โ invalidate all previous sessions for this user app.post('/api/login', async (req, res) => { const user = await authenticate(req.body.email, req.body.password); if (!user) return res.status(401).json({error: 'Invalid credentials'}); // SINGLE SESSION ENFORCEMENT: // Delete ALL existing sessions for this user first await db.query( 'DELETE FROM sessions WHERE user_id = ?', [user.id] ); // Create new session req.session.regenerate((err) => { req.session.userId = user.id; req.session.loginTime = Date.now(); res.json({success: true}); }); // Send login notification email await sendLoginAlert(user.email, req.ip, req.headers['user-agent']); });
JWT โ Token Version Concurrency Control
// JWT payload includes token version const token = jwt.sign({ user_id: user.id, token_version: user.token_version // increment on every login }, process.env.JWT_SECRET, {expiresIn: '15m'}); // On login: increment token_version in DB await db.query( 'UPDATE users SET token_version = token_version + 1 WHERE id = ?', [user.id] ); // On every authenticated request: verify token version function authenticate(req, res, next) { const decoded = jwt.verify(token, secret); const user = await db.query('SELECT token_version FROM users WHERE id=?', [decoded.user_id]); if (decoded.token_version < user.token_version) { return res.status(401).json({error: 'Session superseded'}); } next(); }
๐ Security Checklist
โ Implement session enforcement model (single, N-limit, or notify-on-new)
โ Send email/push notification on every login from new IP or device
โ Provide “Active Sessions” management page โ let users see and revoke
โ JWT: implement token_version counter โ increment on login, reject older
โ Invalidate all sessions on password change
โ Log all session creation with IP, timestamp, User-Agent for audit trail
โ For admin accounts: enforce single-session โ no concurrent admin access
โ Implement device fingerprinting to detect unusual new sessions
๐ Learn More โ External Resources
๐ OWASP WSTG-SESS-04 โ Concurrent Session Testing
๐ PortSwigger โ Authentication and Session Labs
๐ OWASP Session Management Cheat Sheet
๐ OWASP A07:2021 โ Authentication Failures
๐ More from devtechnoblog.in
๐ Session Hijacking โ Complete Bug Bounty Guide
๐ Missing Session Timeout Guide
๐ Insecure Logout Guide
๐ Session Fixation Guide
๐ง Key Takeaways โ Simultaneous Login
- Simultaneous Login = attacker logs in alongside the victim โ both sessions valid, victim completely unaware
- Test with two browsers: Chrome + Firefox or Chrome + Incognito โ both return 200 on /api/me with same user_id = confirmed
- Always check for login notifications โ missing notification multiplies the finding’s impact significantly
- Check for “Active Sessions” management page โ if missing, users cannot even detect or remediate on their own
- Test JWT specifically โ multiple JWTs from the same user simultaneously valid is very common and often forgotten
- Severity is context-dependent โ banking/healthcare/admin = High; casual forum = Low/Informational
- Test how many sessions can be created โ 5 or 10 concurrent sessions with no limit = stronger severity argument
- Always test session invalidation on password change โ concurrent + no invalidation = a High chain
- Frame the report around the detection problem โ victim has absolutely no signal of compromise
- Admin accounts are significantly more impactful โ concurrent admin access = full undetected application control
๐ฐ Real Bounty โ $2,500
A project management SaaS had no concurrent session limit and no new-login notification. Attacker obtained credentials via phishing โ logged in alongside victim โ monitored all project activity for 3 days undetected. No “Active Sessions” page for victim to check. Rated Medium with a $2,500 bounty. Would have been High if admin account or financial data were involved.
