Hello,
We have identified quite a bit security flaw in our system when accessing our web application through Firefox, I will try my best to explain it but if you require more information then please let me know.
When we log into the database, then go into the developers tools, we can see the following request is made when accessing a record.
image.png
The response is then
image.png
This is what we expect to see, the problem is when we log out of the database and then resend the same request, it still shows the response including all the data. Even if I navigate to a completely different webpage and then still run the request, it still allows me to bring back the data. I can only assume it is because the connect/session is not closing,
We have a logout button which directs to a .a5w page which consists of the below code,
All the research I can find, says this should stop the session. I have also used context.session.close() as well. I guess I am missing something quite fundamental.
Another note is, even if I clear all cookies on the browser after logout, I still can access the data. I believe this is because on the application end, it is not terminating the session on the logout function and is keeping it live, therefor the request is still using a valid SessionID to access the data.
Any help would be greatly appreciated,
Thanks,
Toby.
We have identified quite a bit security flaw in our system when accessing our web application through Firefox, I will try my best to explain it but if you require more information then please let me know.
When we log into the database, then go into the developers tools, we can see the following request is made when accessing a record.
image.png
The response is then
image.png
This is what we expect to see, the problem is when we log out of the database and then resend the same request, it still shows the response including all the data. Even if I navigate to a completely different webpage and then still run the request, it still allows me to bring back the data. I can only assume it is because the connect/session is not closing,
We have a logout button which directs to a .a5w page which consists of the below code,
Code:
<!doctype html public "-//w3c//dtd html 4.01 transitional//en" "http://www.w3.org/tr/html4/loose.dtd"> <html> <head> <meta name="generator" content="Alpha Five HTML Editor Version 10 Build 2787-3538"> <!-- must use in order to make XP Themes render --> <meta HTTP-EQUIV="MSThemeCompatible" content="Yes" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title></title> </head> <body onload=javascript:window.history.forward(1);> <p> </p> <p>You have been logged out. Click <a href="login.a5w">here </a>to return to the home page.</p> <%a5 delete session.__protected__loginid delete session.__protected__userid delete session.__protected__loginguid delete session.__protected__logingrp delete session.__protected__logindte context.session.clear() a5ws_logoutuser() %> <script> window.open("login.a5w","_parent"); </script> <p></p></body></html>
Another note is, even if I clear all cookies on the browser after logout, I still can access the data. I believe this is because on the application end, it is not terminating the session on the logout function and is keeping it live, therefor the request is still using a valid SessionID to access the data.
Any help would be greatly appreciated,
Thanks,
Toby.
Comment