Security issue? - Editors remain logged in after logging out in Episerver 5 enterprise installations
Recently, after migrating an enterprise site from v4 to v5 I discovered a potential security issue in v5.
In v4 if an enterprise site had foo.com and bar.com then foo.com/mytemp.aspx?id=100 and bar.com/mytemp.aspx?id=100 would show the same page and i suppose this also was the reason that once you were logged in to a site all site were accesible in edit-mode. The same also applied to simple addresses for pages. I.e. foo.com/foo and bar.com/foo would result in the same page being shown.
In V5 the friendly url functionality is rewritten and the “cross-domain” addresses do not work. This has an interesting consequence when working in edit-mode. Whenl logging in to edit-mode for foo.com, and clicking on the node for bar.com this pops up the login box. For some of the editors this can be a really annoying thing because of their workflow with publshing to many sites in a short time.
But the real security issue is that after logging out from the edit mode interface, the editor will remain logged in on foo.com.
I have tested this behaviour on a test site running r1 sp3.
I suppose the only fix for this at the moment is awareness of this behaviour.
Comments