cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ulrich Mayring <u...@denic.de>
Subject Auth block: logout doesn't invalidate Sessions
Date Tue, 21 Dec 2004 14:41:32 GMT
Hello,

after logging out I can still access the previous session by typing in 
the URL of the form 
http://foo.com/protected.xml;jsessionid=2C0C8021BCD24D4BEE48E4E4BF642EC9

All the session information is still there, I can output it on that page 
with something like:

<session:getxml context="authentication" path="/authentication/ID"/>

The logout action itself is called, I checked that with a redirect 
directly after it.

It is not a browser cache issue, because the session is also accessible 
with another browser that I only just started up after login.

Is this a security leak? Is there a way to use cookies instead? Thought 
that would be the default for Tomcat anyway, as I have nothing 
configured. This is cocoon 2.1.6

Ulrich


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message