Another issue our security audit picked up is when you request a bookmarkable (and perhaps others?) URL when you're logged out, that request gets stored in the HTTP session (this is an assumption based on how it appears to work).
When you then log in using the same session id, the user is taken to the previous page. This may look like a convenient feature for users with minimal security impact - since it only changes the first page a user see and does not directly execute or change anything - when combined with cross site scripting vulnerabilities such as ISIS-884, it means an attacker can "preload" a malicious URL in a victims session while they're logged out of the system, and if they log in before their session expires the malicious payload is executed. It means training your users not to browse the internet while they're logged in to the application is no longer an effective XSS mitigation. Is there a way to turn this feature off? Would there be any adverse effects of writing a servlet filter to destroy and recreate the http session before the login page is displayed? ------------------------------- This email and any attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, any use, dissemination, distribution or duplication of this email and attachments is prohibited. If you have received this email in error please notify the author immediately and erase all copies of the email and attachments. The Ministry of Social Development accepts no responsibility for changes made to this message or attachments after transmission from the Ministry. -------------------------------
