ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (OFBIZ-9302) logout security
Date Thu, 06 Apr 2017 10:20:41 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15958623#comment-15958623
] 

Jacques Le Roux edited comment on OFBIZ-9302 at 4/6/17 10:19 AM:
-----------------------------------------------------------------

OK, for the difference between browsers, it depends on your setting. Mine in Chrome included
removing cookies, I guess for the domain because nothing was left it seems, I did not check
deeper. But other browsers were only cache, not cookies. Anyway, we have session cookies by
web application. I guess we are only removing the cookie of the current application when login
out. We could remove them for all applications. I'm not yet quite sure about that, did not
look at the code yet...


was (Author: jacques.le.roux):
OK, for the difference between browsers, it depends on your setting. Mine in Chrome included
removing cookies, I guess for the domain because nothing was let it seems, I did not check
deeper. But other browsers were only cache, not cookies. Anyway, we have session cookies by
web application. I guess we are only removing the cookie of the current application when login
out. We could remove them for all applications. I'm not yet quite sure about that, did not
look at the code yet...

> logout security
> ---------------
>
>                 Key: OFBIZ-9302
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9302
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL APPLICATIONS
>    Affects Versions: Release Branch 16.11
>            Reporter: Moatasim Al Masri
>         Attachments: logout2.wmv, logout.wmv
>
>
> am trying to check OFBIZ security authentication, and I found when we logedout the session
still open in browser, that if we press back from browser we can reopen the session and continue
see our application without any authentication. 
> please see the video attached : logout.wmv 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message