Re: Security Issue with built-in form-based login

This is not a security issue of Resin. It's a matter of choice of how you
want to implement your application.
Nobody stops you to invalidate the session in the login.jsp and request a
new session.

The drawback is that you loose the initial request URL (which is stored in
the session). You could probably save it before in the page context and
write it out in the <j_uri> resin-specific field. You can kill the session
after the page is rendered. Resin will create a new session when your new
user is logging in.

Otherwise the behaviour you describe is logical: the session does not get
killed while the other user does not log out, the cookie being the same,
it's clear that the same session information is retrieved. I would probably
find it unexpected behaviour if whenever a user hits a login page their
session would be killed by default.

But again, it's an application implementation matter, not a Resin problem.

Tibi
----- Original Message -----
From: "Alan Wright" <alan.wright@xxx.com>
To: <resin-interest@xxx.com>
Sent: Wednesday, April 17, 2002 9:16 PM
Subject: Security Issue with built-in form-based login

> Hi
>
> We are using form based login and the jdbcAuthenticator and have got our
> environment set up and working OK.
>
> We have noticed what could be a security issue using the following
> sequence of actions:
>
> login to authenticating site as user A via standard login form
> user A next visits another site without logging out of the
> authenticating site
> user A leaves the computer
> user B sits at the computer and logs in to the authenticating site as
> user B via standard login form
> user B is presented with data which was associated to user A's session
>
>
> It seems that this is probably something to do with the browser cookie
> used for session tracking but I would expect the act of logging in to
> remove any session data associated with a prior login.
>
> Consider a browser in a shared computer in an office or in a public
> library for example.
>
> If there are some configuration options I should set to prevent such
> behaviour I would be interested to hear about them.
>
> many thanks
>
> Alan Wright
>
> Athene Systems Ltd
>
>
Received on Wed 17 Apr 2002 13:12:50 -0700