LO73712: 'COOKIE DOESN'T EXPIRE AFTER LOGOUT' SAME COOKIES CAN BE REUSED WITHOUT AUTHENTICATION

APAR status

• Closed as fixed if next.

Error description

• Steps to check 'Cookie doesn't expire after logout' defect:
  
  1) Access the following URL and Login into the WEBMAIL from
  browser,
  
   https://Acmeserver.Acme.com/
  
  2) Now note down the cookie value which is being passed while
  accessing the
  Webmail:
  
   Sample Request:
  
   Sample Cookie Value :
  
  Cookie: Shimmer=ui:L;
  LtpaToken=AAECAzUwREQ5Q0JGNTBEREEzQzdDTj1TaGFiYmVyIEtoYW4vT1U9TV
  VNL089VENTiN6jjG
  M48tbgT1nQiHVgyhug7Xc=;
  ShimmerS=ET:20121228T135103%2c69Z&R:0&AT:M
  
  3) Logout from the webmail and close the browser.
  
  4) Now open another browser and hit the same login URL as
  mentioned in step 1
  and trap this request  in the proxy tool.
  
   Request will look like as below :
  5) Now append cookie value to request, which we have saved
  during step2 and
  send request.
  
   Repeat Step 4 and Step 5 for each request which is coming from
  the
  browser.
  
  Result:
   This way one can use any function of application without being
  
  authenticated again.
  
   This cookie can be used from some other machine to access user
  account
  to which cookie belongs.
  
   Followings are some screen shots which are taken while trying
  to access
  mail account without authentication and with the use of cookie
  whose user has
  logged off.
  

Local fix

Problem summary

• This APAR is closed as FIN. We have deferred the fix to a
   future release.
  

Problem conclusion

Temporary fix

Comments

• This APAR is associated with SPR# DMEA6WAJ7N.
  This APAR is closed as FIN. We have deferred the fix to a
   future release.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

• R853 PSN

     UP