LO73712: 'COOKIE DOESN'T EXPIRE AFTER LOGOUT' SAME COOKIES CAN BE REUSED WITHOUT AUTHENTICATION
Closed as fixed if next.
Steps to check 'Cookie doesn't expire after logout' defect: 1) Access the following URL and Login into the WEBMAIL from browser, https://Acmeserver.Acme.com/ 2) Now note down the cookie value which is being passed while accessing the Webmail: Sample Request: Sample Cookie Value : Cookie: Shimmer=ui:L; LtpaToken=AAECAzUwREQ5Q0JGNTBEREEzQzdDTj1TaGFiYmVyIEtoYW4vT1U9TV VNL089VENTiN6jjG M48tbgT1nQiHVgyhug7Xc=; ShimmerS=ET:20121228T135103%2c69Z&R:0&AT:M 3) Logout from the webmail and close the browser. 4) Now open another browser and hit the same login URL as mentioned in step 1 and trap this request in the proxy tool. Request will look like as below : 5) Now append cookie value to request, which we have saved during step2 and send request. Repeat Step 4 and Step 5 for each request which is coming from the browser. Result: This way one can use any function of application without being authenticated again. This cookie can be used from some other machine to access user account to which cookie belongs. Followings are some screen shots which are taken while trying to access mail account without authentication and with the use of cookie whose user has logged off.
This APAR is closed as FIN. We have deferred the fix to a future release.
This APAR is associated with SPR# DMEA6WAJ7N. This APAR is closed as FIN. We have deferred the fix to a future release.
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Applicable component levels