I am experiencing a fairly major security issue with the admin interface. To reproduce it do the following steps:
1. Log into admin interface.
2. Copy the '.CMSAUTH_...' cookie which is created.
3. Exit / logout the admin interface.
4. Browse back to the admin interface (it should now ask you to log in again).
5. Re-create the '.CMSAUTH...' cookie that you copied from step 2.
6. Refresh the page and note that you are automatically logged in again.
So basically, someone can fish an authenticated cookie and then use this to log in at any time for eternity.
P.S. Google Chrome has an extension called 'EditThisCookie' that is useful for importing/exporting cookies.
Comments: ** Comment from web user: burningice **
The cookie basically just contains an encrypted username so there is no "Session" per-se recorded on the server per login.
Yes, there should have been a "Session table" on the server and the cookie should only contain an id to a record in this table, and logging out invalidates/deletes this record.
This pattern is almost never used though - just storing the username of the logged in user is what 99% of all systems do, myself included unless its a huge site with logins from multiple platforms where you need to track who are logged in from where.
So saying that its a major security hole is stretching it a bit, but one could argue that a off-the-shelve CMS system should strive to use best practices. Small steps, maybe it will come. Its only recent that password where hashed instead of "encrypted" with a static key which could be found by searching through the source code.