[jira] [Commented] (OFBIZ-9302) logout security
[ https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15958623#comment-15958623 ] Jacques Le Roux commented on OFBIZ-9302: OK, for the difference between browsers, it depends on your setting. Mine in Chrome included removing cookies, I guess for the domain because nothing was let it seems, I did not check deeper. But other browsers were only cache, not cookies. Anyway, we have session cookies by web application. I guess we are only removing the cookie of the current application when login out. We could remove them for all applications. I'm not yet quite sure about that, did not look at the code yet... > logout security > --- > > Key: OFBIZ-9302 > URL: https://issues.apache.org/jira/browse/OFBIZ-9302 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS >Affects Versions: Release Branch 16.11 >Reporter: Moatasim Al Masri > Attachments: logout2.wmv, logout.wmv > > > am trying to check OFBIZ security authentication, and I found when we > logedout the session still open in browser, that if we press back from > browser we can reopen the session and continue see our application without > any authentication. > please see the video attached : logout.wmv -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (OFBIZ-9302) logout security
[ https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954883#comment-15954883 ] Jacques Le Roux commented on OFBIZ-9302: I'll use this as reference https://en.wikipedia.org/wiki/Wikipedia:Bypass_your_cache > logout security > --- > > Key: OFBIZ-9302 > URL: https://issues.apache.org/jira/browse/OFBIZ-9302 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS >Affects Versions: Release Branch 16.11 >Reporter: Moatasim Al Masri > Attachments: logout2.wmv, logout.wmv > > > am trying to check OFBIZ security authentication, and I found when we > logedout the session still open in browser, that if we press back from > browser we can reopen the session and continue see our application without > any authentication. > please see the video attached : logout.wmv -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (OFBIZ-9302) logout security
[ https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954880#comment-15954880 ] Jacques Le Roux commented on OFBIZ-9302: What I mean is it's only a local issue as long as someone has not been able to take the control of your machine (it's only in your local machine cache); wich anyway would be a much greater problem than this. But it's still weird for FF and IE :/ I'll try to investigate there... I'll also check if older versions have this problem or not... > logout security > --- > > Key: OFBIZ-9302 > URL: https://issues.apache.org/jira/browse/OFBIZ-9302 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS >Affects Versions: Release Branch 16.11 >Reporter: Moatasim Al Masri > Attachments: logout2.wmv, logout.wmv > > > am trying to check OFBIZ security authentication, and I found when we > logedout the session still open in browser, that if we press back from > browser we can reopen the session and continue see our application without > any authentication. > please see the video attached : logout.wmv -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (OFBIZ-9302) logout security
[ https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954864#comment-15954864 ] Moatasim Al Masri commented on OFBIZ-9302: -- for sure in your case, the issue will not happened, because you clear and close all sessions manually. > logout security > --- > > Key: OFBIZ-9302 > URL: https://issues.apache.org/jira/browse/OFBIZ-9302 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS >Affects Versions: Release Branch 16.11 >Reporter: Moatasim Al Masri > Attachments: logout2.wmv, logout.wmv > > > am trying to check OFBIZ security authentication, and I found when we > logedout the session still open in browser, that if we press back from > browser we can reopen the session and continue see our application without > any authentication. > please see the video attached : logout.wmv -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (OFBIZ-9302) logout security
[ https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954855#comment-15954855 ] Jacques Le Roux commented on OFBIZ-9302: But I reproduce on FF and IE11, weird again. > logout security > --- > > Key: OFBIZ-9302 > URL: https://issues.apache.org/jira/browse/OFBIZ-9302 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS >Affects Versions: Release Branch 16.11 >Reporter: Moatasim Al Masri > Attachments: logout2.wmv, logout.wmv > > > am trying to check OFBIZ security authentication, and I found when we > logedout the session still open in browser, that if we press back from > browser we can reopen the session and continue see our application without > any authentication. > please see the video attached : logout.wmv -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (OFBIZ-9302) logout security
[ https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954853#comment-15954853 ] Jacques Le Roux commented on OFBIZ-9302: I mean just after having logged out and before going back. Because I don't reproduce on Chrome when using Ctrl+F5 then. > logout security > --- > > Key: OFBIZ-9302 > URL: https://issues.apache.org/jira/browse/OFBIZ-9302 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS >Affects Versions: Release Branch 16.11 >Reporter: Moatasim Al Masri > Attachments: logout2.wmv, logout.wmv > > > am trying to check OFBIZ security authentication, and I found when we > logedout the session still open in browser, that if we press back from > browser we can reopen the session and continue see our application without > any authentication. > please see the video attached : logout.wmv -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (OFBIZ-9302) logout security
[ https://issues.apache.org/jira/browse/OFBIZ-9302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954763#comment-15954763 ] Jacques Le Roux commented on OFBIZ-9302: Could you please try the same with a browser cache clear before using going back? > logout security > --- > > Key: OFBIZ-9302 > URL: https://issues.apache.org/jira/browse/OFBIZ-9302 > Project: OFBiz > Issue Type: Bug > Components: ALL APPLICATIONS >Affects Versions: Release Branch 16.11 >Reporter: Moatasim Al Masri > Attachments: logout.wmv > > > am trying to check OFBIZ security authentication, and I found when we > logedout the session still open in browser, that if we press back from > browser we can reopen the session and continue see our application without > any authentication. > please see the video attached : logout.wmv -- This message was sent by Atlassian JIRA (v6.3.15#6346)