[jira] [Commented] (OFBIZ-9302) logout security

2017-04-06 Thread Jacques Le Roux (JIRA) 

[ 
https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15958623#comment-15958623
 ] 

Jacques Le Roux commented on OFBIZ-9302:


OK, for the difference between browsers, it depends on your setting. Mine in 
Chrome included removing cookies, I guess for the domain because nothing was 
let it seems, I did not check deeper. But other browsers were only cache, not 
cookies. Anyway, we have session cookies by web application. I guess we are 
only removing the cookie of the current application when login out. We could 
remove them for all applications. I'm not yet quite sure about that, did not 
look at the code yet...

> logout security
> ---
>
> Key: OFBIZ-9302
> URL: https://issues.apache.org/jira/browse/OFBIZ-9302
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL APPLICATIONS
>Affects Versions: Release Branch 16.11
>Reporter: Moatasim Al Masri
> Attachments: logout2.wmv, logout.wmv
>
>
> am trying to check OFBIZ security authentication, and I found when we 
> logedout the session still open in browser, that if we press back from 
> browser we can reopen the session and continue see our application without 
> any authentication. 
> please see the video attached : logout.wmv 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (OFBIZ-9302) logout security

2017-04-04 Thread Jacques Le Roux (JIRA) 

[ 
https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954883#comment-15954883
 ] 

Jacques Le Roux commented on OFBIZ-9302:


I'll use this as reference  
https://en.wikipedia.org/wiki/Wikipedia:Bypass_your_cache

> logout security
> ---
>
> Key: OFBIZ-9302
> URL: https://issues.apache.org/jira/browse/OFBIZ-9302
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL APPLICATIONS
>Affects Versions: Release Branch 16.11
>Reporter: Moatasim Al Masri
> Attachments: logout2.wmv, logout.wmv
>
>
> am trying to check OFBIZ security authentication, and I found when we 
> logedout the session still open in browser, that if we press back from 
> browser we can reopen the session and continue see our application without 
> any authentication. 
> please see the video attached : logout.wmv 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (OFBIZ-9302) logout security

2017-04-04 Thread Jacques Le Roux (JIRA) 

[ 
https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954880#comment-15954880
 ] 

Jacques Le Roux commented on OFBIZ-9302:


What I mean is it's only a local issue as long as someone has not been able to 
take the control of your machine (it's only in your local machine cache); wich 
anyway would be a much greater problem than this. But it's still weird for FF 
and IE :/ I'll try to investigate there...

I'll also check if older versions have this problem or not...

> logout security
> ---
>
> Key: OFBIZ-9302
> URL: https://issues.apache.org/jira/browse/OFBIZ-9302
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL APPLICATIONS
>Affects Versions: Release Branch 16.11
>Reporter: Moatasim Al Masri
> Attachments: logout2.wmv, logout.wmv
>
>
> am trying to check OFBIZ security authentication, and I found when we 
> logedout the session still open in browser, that if we press back from 
> browser we can reopen the session and continue see our application without 
> any authentication. 
> please see the video attached : logout.wmv 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (OFBIZ-9302) logout security

2017-04-04 Thread Moatasim Al Masri (JIRA) 

[ 
https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954864#comment-15954864
 ] 

Moatasim Al Masri commented on OFBIZ-9302:
--

for sure in your case, the issue will not happened, because you clear and close 
all sessions manually.

> logout security
> ---
>
> Key: OFBIZ-9302
> URL: https://issues.apache.org/jira/browse/OFBIZ-9302
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL APPLICATIONS
>Affects Versions: Release Branch 16.11
>Reporter: Moatasim Al Masri
> Attachments: logout2.wmv, logout.wmv
>
>
> am trying to check OFBIZ security authentication, and I found when we 
> logedout the session still open in browser, that if we press back from 
> browser we can reopen the session and continue see our application without 
> any authentication. 
> please see the video attached : logout.wmv 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (OFBIZ-9302) logout security

2017-04-04 Thread Jacques Le Roux (JIRA) 

[ 
https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954855#comment-15954855
 ] 

Jacques Le Roux commented on OFBIZ-9302:


But I reproduce on FF and IE11, weird again.

> logout security
> ---
>
> Key: OFBIZ-9302
> URL: https://issues.apache.org/jira/browse/OFBIZ-9302
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL APPLICATIONS
>Affects Versions: Release Branch 16.11
>Reporter: Moatasim Al Masri
> Attachments: logout2.wmv, logout.wmv
>
>
> am trying to check OFBIZ security authentication, and I found when we 
> logedout the session still open in browser, that if we press back from 
> browser we can reopen the session and continue see our application without 
> any authentication. 
> please see the video attached : logout.wmv 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (OFBIZ-9302) logout security

2017-04-04 Thread Jacques Le Roux (JIRA) 

[ 
https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954853#comment-15954853
 ] 

Jacques Le Roux commented on OFBIZ-9302:


I mean just after having logged out and before going back. Because I don't 
reproduce on Chrome when using Ctrl+F5 then. 

> logout security
> ---
>
> Key: OFBIZ-9302
> URL: https://issues.apache.org/jira/browse/OFBIZ-9302
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL APPLICATIONS
>Affects Versions: Release Branch 16.11
>Reporter: Moatasim Al Masri
> Attachments: logout2.wmv, logout.wmv
>
>
> am trying to check OFBIZ security authentication, and I found when we 
> logedout the session still open in browser, that if we press back from 
> browser we can reopen the session and continue see our application without 
> any authentication. 
> please see the video attached : logout.wmv 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (OFBIZ-9302) logout security

2017-04-04 Thread Jacques Le Roux (JIRA) 

[ 
https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954763#comment-15954763
 ] 

Jacques Le Roux commented on OFBIZ-9302:


Could you please try the same with a browser cache clear before using going 
back?

> logout security
> ---
>
> Key: OFBIZ-9302
> URL: https://issues.apache.org/jira/browse/OFBIZ-9302
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL APPLICATIONS
>Affects Versions: Release Branch 16.11
>Reporter: Moatasim Al Masri
> Attachments: logout.wmv
>
>
> am trying to check OFBIZ security authentication, and I found when we 
> logedout the session still open in browser, that if we press back from 
> browser we can reopen the session and continue see our application without 
> any authentication. 
> please see the video attached : logout.wmv 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)