You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cocoon.apache.org by Ulrich Mayring <ul...@denic.de> on 2004/12/21 15:41:32 UTC

Auth block: logout doesn't invalidate Sessions

Hello,

after logging out I can still access the previous session by typing in 
the URL of the form 
http://foo.com/protected.xml;jsessionid=2C0C8021BCD24D4BEE48E4E4BF642EC9

All the session information is still there, I can output it on that page 
with something like:

<session:getxml context="authentication" path="/authentication/ID"/>

The logout action itself is called, I checked that with a redirect 
directly after it.

It is not a browser cache issue, because the session is also accessible 
with another browser that I only just started up after login.

Is this a security leak? Is there a way to use cookies instead? Thought 
that would be the default for Tomcat anyway, as I have nothing 
configured. This is cocoon 2.1.6

Ulrich


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: Auth block: logout doesn't invalidate Sessions

Posted by Ulrich Mayring <ul...@denic.de>.

Ulrich Mayring wrote:
> Hello,
> 
> after logging out I can still access the previous session by typing in 
> the URL of the form 
> http://foo.com/protected.xml;jsessionid=2C0C8021BCD24D4BEE48E4E4BF642EC9

By chance I stumbled upon the encodeURL transformer and if I use that, 
then the session IS invalidated. Perhaps a bug.

Ulrich


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org