You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Ulrich Mayring <ul...@denic.de> on 2004/12/21 15:41:32 UTC
Auth block: logout doesn't invalidate Sessions
Hello,
after logging out I can still access the previous session by typing in
the URL of the form
http://foo.com/protected.xml;jsessionid=2C0C8021BCD24D4BEE48E4E4BF642EC9
All the session information is still there, I can output it on that page
with something like:
<session:getxml context="authentication" path="/authentication/ID"/>
The logout action itself is called, I checked that with a redirect
directly after it.
It is not a browser cache issue, because the session is also accessible
with another browser that I only just started up after login.
Is this a security leak? Is there a way to use cookies instead? Thought
that would be the default for Tomcat anyway, as I have nothing
configured. This is cocoon 2.1.6
Ulrich
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: Auth block: logout doesn't invalidate Sessions
Posted by Ulrich Mayring <ul...@denic.de>.
Ulrich Mayring wrote:
> Hello,
>
> after logging out I can still access the previous session by typing in
> the URL of the form
> http://foo.com/protected.xml;jsessionid=2C0C8021BCD24D4BEE48E4E4BF642EC9
By chance I stumbled upon the encodeURL transformer and if I use that,
then the session IS invalidated. Perhaps a bug.
Ulrich
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org