[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam
Subject: Re: [OpenAM] Unterminated Session ID on Logout
From: Zoltan Tarcsay <zoltan.tarcsay () forgerock ! com>
Date: 2014-10-28 11:06:06
Message-ID: FAEC1377-19F5-412A-925F-E011B3F1F89C () forgerock ! com
[Download RAW message or body]
Hi,
OpenAM does not use/set/reset the JSESSIONID cookie (your servlet container does).
-Zoltan
> On 28 Oct 2014, at 08:15, Nestore Sulcis <nestsulcis@inbox.com> wrote:
>
>
> I have OpenAM 10.0.0 and after a security assessment they told me
> that after logging out with OpenAM, using a URL like this:
>
> https://mywebsite.domain.com/openam/UI/Logout
>
> the cookie "JSESSIONID" is NOT
> invalidated leaving the chance to an attacker to reuse that value.
>
> Note that in the "Logout URL" configured in web agent I put (only)
> the Logout URL showed above and in the top level realm (the only realm I use)
> I've kept the default authentication chain i.e. made of just "DataStore" module.
>
> I'd like to know if that is misconfiguration or an open security issue.
>
> ____________________________________________________________
> Can't remember your password? Do you need a strong and secure password?
> Use Password manager! It stores your passwords & protects your account.
> Check it out at http://mysecurelogon.com/manager
>
>
> _______________________________________________
> OpenAM mailing list
> OpenAM@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
OpenAM mailing list
OpenAM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/openam
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic