Protecting OutSystems apps from authentication vulnerabilities

Protecting OutSystems apps from authentication vulnerabilities

  
Solution

Hi Tiong,

The ActuallyLogin action is the Login System Action. As you can see in the flow there's a previous Validate Token that should check if the token is valid, and if not, throw an exception. After that you login the user (without password).

Solution

Thank you, Sir. So, when validateLogin .. it is not logged in yet?

regards, 

tan

The ValidateToken should also check if the token hasn't expired yet.