[Metalab Issues] #192: Logout in the Issue Tracker doesn't work properly
Metalab Issues
issues at lists.metalab.at
Fri Apr 26 00:28:05 CEST 2013
#192: Logout in the Issue Tracker doesn't work properly
-----------------+-----------------------
Reporter: pepi | Owner:
Status: new | Keywords: wiki, trac
-----------------+-----------------------
Description changed by simonrepp:
Old description:
> Simon Repp just discovered this odd behaviour:
>
> Login to the Metalab Wiki.
> Logout of the Metalab Wiki.
> Open the Issue tracker.
> Click Login.
>
> Expected Behaviour:
> You'll get asked for your login credentials since you're not logged into
> the Metalab Wiki.
>
> Actual results:
> The last user that was logged into the Wiki is automatically
> authenticated for the issue tracker.
>
> This should not happen.
>
> Regression:
> Firefox in private mode. No cookies are stored, all cookies deleted,
> firefox quit and reopened. Behaviour is still the same.
>
> Security implication: Allows impersonification, maybe even unfriendly
> takeover of an account.
New description:
Simon Repp just discovered this odd behaviour on the Hauptraum
Surfstation:
Open the Issue tracker.
Click Login.
You are now logged in as XXXXXXX. (without being asked for or providing
any credentials!!)
This should not happen.
Regression:
Firefox in private mode. No cookies are stored, all cookies deleted,
firefox quit and reopened. Behaviour is still the same.
Security implication: Allows impersonification, maybe even unfriendly
takeover of an account.
--
--
Ticket URL: <https://metalab.at/issues/ticket/192#comment:2>
Metalab Issues <https://metalab.at/issues>
Metalab is a Hackerspace in Vienna's first district.
More information about the issues
mailing list