Invalidate session
------------------
Key: MAGNOLIA-3248
URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3248
Project: Magnolia
Issue Type: Improvement
Components: core, security
Affects Versions: 4.3.2
Reporter: Grégory Joseph
Assignee: Philipp Bärfuss
Fix For: 4.3.x
Two issues in one:
* when logging out, the session is invalidated, but somehow a session gets
recreated with the same ID as previously (but session.isNew() is true) for the
anonymous user (while there is no session for anonymous users if no session
existed previously)
* when logging in, the existing session is *not* invalidated, and likewise, the
same session ID is kept.
This behavior is seen as a threat by security inspecting systems. At the very
least, we should indeed invalidate an existing session when logging in.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
