cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ulrich Mayring <>
Subject Auth block: logout doesn't invalidate Sessions
Date Tue, 21 Dec 2004 14:41:32 GMT

after logging out I can still access the previous session by typing in 
the URL of the form;jsessionid=2C0C8021BCD24D4BEE48E4E4BF642EC9

All the session information is still there, I can output it on that page 
with something like:

<session:getxml context="authentication" path="/authentication/ID"/>

The logout action itself is called, I checked that with a redirect 
directly after it.

It is not a browser cache issue, because the session is also accessible 
with another browser that I only just started up after login.

Is this a security leak? Is there a way to use cookies instead? Thought 
that would be the default for Tomcat anyway, as I have nothing 
configured. This is cocoon 2.1.6


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message