Kanboard is project management software that focuses on the Kanban
methodology. In affected versions sessions are still usable even
though their lifetime has exceeded. Kanboard implements a cutom
session handler (`app/Core/Session/SessionHandler.php`), to store
the session data in a database. Therefore, when a `session_id` is
given, kanboard queries the data from the `sessions` sql table. At
this point, it does not correctly verify, if a given `session_id`
has already exceeded its lifetime (`expires_at`). Thus, a session
which's lifetime is already `> time()`, is still queried
from the database and hence a valid login. The implemented
**SessionHandlerInterface::gc** function, that does remove invalid
sessions, is called only **with a certain probability** (_Cleans
up expired sessions. Called by `session_start()`, based on
`session.gc_divisor`, `session.gc_probability` and `session.gc_maxlifetime`
settings_) accordingly to the php documentation. In the official
Kanboard docker image these values default to: session.gc_probability=1,
session.gc_divisor=1000. Thus, an expired session is only terminated
with probability 1/1000. There are no known workarounds for
this vulnerability.