LO73712: 'COOKIE DOESN'T EXPIRE AFTER LOGOUT' SAME COOKIES CAN BE REUSED WITHOUT AUTHENTICATION

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as fixed if next.

Error description

  • Steps to check 'Cookie doesn't expire after logout' defect:
    
    1) Access the following URL and Login into the WEBMAIL from
    browser,
    
     https://Acmeserver.Acme.com/
    
    2) Now note down the cookie value which is being passed while
    accessing the
    Webmail:
    
     Sample Request:
    
     Sample Cookie Value :
    
    Cookie: Shimmer=ui:L;
    LtpaToken=AAECAzUwREQ5Q0JGNTBEREEzQzdDTj1TaGFiYmVyIEtoYW4vT1U9TV
    VNL089VENTiN6jjG
    M48tbgT1nQiHVgyhug7Xc=;
    ShimmerS=ET:20121228T135103%2c69Z&R:0&AT:M
    
    3) Logout from the webmail and close the browser.
    
    4) Now open another browser and hit the same login URL as
    mentioned in step 1
    and trap this request  in the proxy tool.
    
     Request will look like as below :
    5) Now append cookie value to request, which we have saved
    during step2 and
    send request.
    
     Repeat Step 4 and Step 5 for each request which is coming from
    the
    browser.
    
    Result:
     This way one can use any function of application without being
    
    authenticated again.
    
     This cookie can be used from some other machine to access user
    account
    to which cookie belongs.
    
     Followings are some screen shots which are taken while trying
    to access
    mail account without authentication and with the use of cookie
    whose user has
    logged off.
    

Local fix

Problem summary

  • This APAR is closed as FIN. We have deferred the fix to a
     future release.
    

Problem conclusion

Temporary fix

Comments

  • This APAR is associated with SPR# DMEA6WAJ7N.
    This APAR is closed as FIN. We have deferred the fix to a
     future release.
    

APAR Information

  • APAR number

    LO73712

  • Reported component name

    DOMINO SERVER

  • Reported component ID

    5724E6200

  • Reported release

    853

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-01-30

  • Closed date

    2013-02-11

  • Last modified date

    2013-02-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

  • R853 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Domino

Software version:

8.5.3

Reference #:

LO73712

Modified date:

2013-02-11

Translate my page

Machine Translation

Content navigation