In the case where a list owner or moderator password has been compromised, or when performing a change of owner/moderator, one should obviously change the related passwords. However, if a former owner/moderator (or the person who stole the password) still has their browser open, their cookie is still valid and they can continue to access and change the list.
I've been perusing the various docs to see if there is a method to purge state such that web UI users are required to re-authenticate (either globally or on a per-list basis), but cannot find anything. Simply restarting apache isn't sufficient (determined emperically). Does this feature exist? If so, any pointers are appreciated. Running mailman-2.1.16 with httpd-2.2.15. Devin ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
