To check if an application correctly closes the session, open the application using Burp Suite and then log in to the application with valid credentials:
- As you can see from the following screenshot, the application created a session that is used as a guest user:
- Now, access the application, and you will see that the application now creates a new session as a logged user.
- Close the session, as follows:
- If the application correctly destroyed the session, it is not possible to resend a request. Go to History, and select a request made by the user.
- Click on Send to repeated and click on Go, and see the result. If the application returns the response as a logged user, the application is vulnerable; if not, the application is not vulnerable.