Alan, I am trying to reproduce the problem, but had no trouble yet.
When you say "user A leaves the computer" you mean that user A logs off or
User A closes his/her browser's window? I tested both scenarios without
problem.
We are not using persistent cookies (that would create trouble for more than
one user on the same PC), and we are not experimenting this problem. We also
use the JdbcAuthenticator (actually a subclass of it).
I only define a timeout for my session-config element. Nothing else. I am
using Resin v2.1 (a recent snapshot).
Tip: a small session listener would reveal if the session is being destroyed
or not. Proper logout (beyond session.invalidate()) is also important.
Regards,
Martin
----- Original Message -----
From: "Alan Wright" <alan.wright@xxx.com>
To: <resin-interest@xxx.com>
Sent: Wednesday, April 17, 2002 3:16 PM
Subject: Security Issue with built-in form-based login
> Hi
>
> We are using form based login and the jdbcAuthenticator and have got our
> environment set up and working OK.
>
> We have noticed what could be a security issue using the following
> sequence of actions:
>
> login to authenticating site as user A via standard login form
> user A next visits another site without logging out of the
> authenticating site
> user A leaves the computer
> user B sits at the computer and logs in to the authenticating site as
> user B via standard login form
> user B is presented with data which was associated to user A's session
>
>
> It seems that this is probably something to do with the browser cookie
> used for session tracking but I would expect the act of logging in to
> remove any session data associated with a prior login.
>
> Consider a browser in a shared computer in an office or in a public
> library for example.
>
> If there are some configuration options I should set to prevent such
> behaviour I would be interested to hear about them.
>
> many thanks
>
> Alan Wright
>
> Athene Systems Ltd
>
>
Received on Wed 17 Apr 2002 13:20:43 -0700
This archive was generated by hypermail 2.1.8 : Thu Sep 28 2006 - 20:17:01 PDT