Hi
We are using form based login and the jdbcAuthenticator and have got our
environment set up and working OK.
We have noticed what could be a security issue using the following
sequence of actions:
login to authenticating site as user A via standard login form
user A next visits another site without logging out of the
authenticating site
user A leaves the computer
user B sits at the computer and logs in to the authenticating site as
user B via standard login form
user B is presented with data which was associated to user A's session
It seems that this is probably something to do with the browser cookie
used for session tracking but I would expect the act of logging in to
remove any session data associated with a prior login.
Consider a browser in a shared computer in an office or in a public
library for example.
If there are some configuration options I should set to prevent such
behaviour I would be interested to hear about them.
many thanks
Alan Wright
Athene Systems Ltd
Received on Wed 17 Apr 2002 12:16:58 -0700
This archive was generated by hypermail 2.1.8 : Thu Sep 28 2006 - 20:17:01 PDT