Objective

To prevent password replay attacks by restricting reuse of encrypted credentials within a defined time window.

Issue

Encrypted passwords can be reused, leading to a potential password replay attack.

Affected Module

• Module: AppSec
• Location: Login Page

Impact

• Encrypted passwords do not expire immediately after login
• Reusable encrypted credentials can allow unauthorized access

Solution

Configuration File

<AE_Application>/conf/ae.properties

Add/Update Below Properties

ae.check.logintime=true
ae.logintime.window.seconds=10

Configuration Details

• ae.check.logintime = true
  Enables login time validation
• ae.logintime.window.seconds = 10
  Allows password reuse only within a 10-second window (handles clock drift)

Validation

1. Restart AE server
2. Perform login and capture encrypted request
3. Attempt reuse after defined time window

Expected Result:

• Login should fail after the configured time window

Next Steps

• Apply the configuration changes
• Restart the AE server
• Validate using penetration testing
• Monitor authentication logs for any anomalies

Note

• Ensure system time is synchronized across servers
• Adjust time window based on client security requirements