Commented Unassigned: Major Security Hole: Admin interface sessions are not destroyed correctly. [2121]

Hello;

I am experiencing a fairly major security issue with the admin interface. To reproduce it do the following steps:

1. Log into admin interface.
2. Copy the '.CMSAUTH_...' cookie which is created.
3. Exit / logout the admin interface.
4. Browse back to the admin interface (it should now ask you to log in again).
5. Re-create the '.CMSAUTH...' cookie that you copied from step 2.
6. Refresh the page and note that you are automatically logged in again.

So basically, someone can fish an authenticated cookie and then use this to log in at any time for eternity.

P.S. Google Chrome has an extension called 'EditThisCookie' that is useful for importing/exporting cookies.
Comments: ** Comment from web user: iaresean **

Thanks for your comments gentlemen.

Reading into this, I must admit that my title of "Major Security Hole" was a bit too hastily applied.

Good to know the cookie will expire in 2 days. Do you know if there is an easy way for me to override this setting?

---

For those interested in this topic, there is some interesting reading here:

http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s

http://stackoverflow.com/questions/16062808/form-authentication-cookie-replay-attack-protection

http://stackoverflow.com/questions/9636857/how-can-asp-net-or-asp-net-mvc-be-protected-from-related-domain-cookie-attacks?lq=1

----