Re: Security Issue with built-in form-based login

Hi,

I was wondering if my understanding is correct: if your authenticator is
configured at web-app level, the user is logged out when the session with
that specific web-app is killed? However, if the authenticator is configured
at host level, then you might still be logged in in other sessions with
other web-apps. That's the reason why killing the session is not enough to
completely log out in certain configurations.

Thanks,
Tibi
----- Original Message -----
From: "Martín Córdova" <mcordova@xxx.com>
To: <resin-interest@xxx.com>
Sent: Wednesday, April 17, 2002 10:20 PM
Subject: Re: Security Issue with built-in form-based login

> Alan, I am trying to reproduce the problem, but had no trouble yet.
>
> When you say "user A leaves the computer" you mean that user A logs off or
> User A closes his/her browser's window? I tested both scenarios without
> problem.
>
> We are not using persistent cookies (that would create trouble for more
than
> one user on the same PC), and we are not experimenting this problem. We
also
> use the JdbcAuthenticator (actually a subclass of it).
>
> I only define a timeout for my session-config element. Nothing else. I am
> using Resin v2.1 (a recent snapshot).
>
> Tip: a small session listener would reveal if the session is being
destroyed
> or not. Proper logout (beyond session.invalidate()) is also important.
>
> Regards,
> Martin
>
>
>
> ----- Original Message -----
> From: "Alan Wright" <alan.wright@xxx.com>
> To: <resin-interest@xxx.com>
> Sent: Wednesday, April 17, 2002 3:16 PM
> Subject: Security Issue with built-in form-based login
>
>
> > Hi
> >
> > We are using form based login and the jdbcAuthenticator and have got our
> > environment set up and working OK.
> >
> > We have noticed what could be a security issue using the following
> > sequence of actions:
> >
> > login to authenticating site as user A via standard login form
> > user A next visits another site without logging out of the
> > authenticating site
> > user A leaves the computer
> > user B sits at the computer and logs in to the authenticating site as
> > user B via standard login form
> > user B is presented with data which was associated to user A's session
> >
> >
> > It seems that this is probably something to do with the browser cookie
> > used for session tracking but I would expect the act of logging in to
> > remove any session data associated with a prior login.
> >
> > Consider a browser in a shared computer in an office or in a public
> > library for example.
> >
> > If there are some configuration options I should set to prevent such
> > behaviour I would be interested to hear about them.
> >
> > many thanks
> >
> > Alan Wright
> >
> > Athene Systems Ltd
> >
> >
>
>
Received on Wed 17 Apr 2002 13:34:48 -0700