Dear plone community,
Our website is aptransco.co.in build on Plone 5.2.0 and upgraded to 5.2.6.
I am using Plone 5.2.6. Session ID remains same always in the admin user account. After the expiry of the session(logging out of admin user), when logged in through other user account, if the session ID of user account is replaced with present admin session ID, I am able to access admin account without actually logging in. This I consider as a major flaw. Please provide the solution for the expiry of session ID after every logout and creation of new session ID for every new logging in.
The report may be a security issue. Please do not report security issues in this public forum - instead send security issue reports to "mailto:security@plone.org".
In your email you should precisely describe what you mean by "Session ID". In a Plone context, "Session ID" could mean different things. In all cases, the "Session ID" is usually not visible to normal users and usually cannot be manipulated at will. Please describe in detail how you observe and manipulate the "Session ID".
In stock Plone, authentication information implementing an authentication session is maintained in cookies. When you log out, those cookies are expired, i.e. no longer sent by your browser to the server. However, if you can trick a browser to use an "old" cookie value, you may be able to use the authentication session corresponding to that value. Restrict access to your site to "https" to avoid that such cookie values can be obtained by network sniffing.
1 Like