Hello;
I am experiencing a fairly major security issue with the admin interface. To reproduce it do the following steps:
1. Log into admin interface.
2. Copy the '.CMSAUTH_...' cookie which is created.
3. Exit / logout the admin interface.
4. Browse back to the admin interface (it should now ask you to log in again).
5. Re-create the '.CMSAUTH...' cookie that you copied from step 2.
6. Refresh the page and note that you are automatically logged in again.
So basically, someone can fish an authenticated cookie and then use this to log in at any time for eternity.
P.S. Google Chrome has an extension called 'EditThisCookie' that is useful for importing/exporting cookies.
Comments: ** Comment from web user: napernik **
I am experiencing a fairly major security issue with the admin interface. To reproduce it do the following steps:
1. Log into admin interface.
2. Copy the '.CMSAUTH_...' cookie which is created.
3. Exit / logout the admin interface.
4. Browse back to the admin interface (it should now ask you to log in again).
5. Re-create the '.CMSAUTH...' cookie that you copied from step 2.
6. Refresh the page and note that you are automatically logged in again.
So basically, someone can fish an authenticated cookie and then use this to log in at any time for eternity.
P.S. Google Chrome has an extension called 'EditThisCookie' that is useful for importing/exporting cookies.
Comments: ** Comment from web user: napernik **
> So basically, someone can fish an authenticated cookie and then use this to log in at any time for eternity.
To be a bit more specific, a login cookie, if not used, expires after 5 days. Though if in use, a new one will be renewed once a day. (In the lastest builds).
In the previous versions it would expire after 2 days since the login always.
For details see
Composite\Plugins\Security\LoginSessionStores\HttpContextBasedLoginSessionStore\HttpContextBasedLoginSessionStore.cs