Shamrez Iqbal
Oct 7, 2008
  3957
(0 votes)

Security issue? - Editors remain logged in after logging out in Episerver 5 enterprise installations

Recently, after migrating an enterprise site from v4 to v5 I discovered a potential security issue in v5.

In v4 if an enterprise site had foo.com and bar.com then foo.com/mytemp.aspx?id=100 and bar.com/mytemp.aspx?id=100 would show the same page and i suppose this also was the reason that once you were logged in to a site all site were accesible in edit-mode. The same also applied to simple addresses for pages. I.e. foo.com/foo and bar.com/foo would result in the same page being shown.

In V5 the friendly url functionality is rewritten and the “cross-domain” addresses do not work. This has an interesting consequence when working in edit-mode. Whenl logging in to edit-mode for foo.com, and clicking on the node for bar.com this pops up the login box. For some of the editors this can be a really annoying thing because of their workflow with publshing to many sites in a short time.

But the real security issue is that after logging out from the edit mode interface, the editor will remain logged in on foo.com.

I have tested this behaviour on a test site running r1 sp3.

I suppose the only fix for this at the moment is awareness of this behaviour.

Oct 07, 2008

Comments

Please login to comment.
Latest blogs
Plug-in manager is back in CMS 12

Plug-in manager is back in the UI, what is it and how can i use it?

Luc Gosso (MVP) | Oct 6, 2022 | Syndicated blog

Display Child Pages in Content Delivery API Response

The below example will implement an instance of IContentConverterProvider to customise the serialisation of PageData and output child pages in the...

Minesh Shah (Netcel) | Oct 4, 2022

Bring the Report Center back in Optimizely CMS 12

The Report Center has been a part of Optimizely CMS since its first debut in version 5R2 in 2008, but in CMS 12, it's removed! Don't despair! Make...

Tomas Hensrud Gulla | Oct 4, 2022 | Syndicated blog

Customizing Property Lists in Optimizely CMS

Generic property lists is a cool editorial feature that has gained a lot of popularity - in spite of still being unsupported (officially). But if y...

Allan Thraen | Oct 2, 2022 | Syndicated blog

Optimizely names Luminary Senior Developer, Ynze Nunnink, OMVP

Luminary Senior Developer and Optimizely Lead, Ynze Nunnink has secured the coveted position of Optimizely MVP. Earning a Platinum badge for his...

Ynze | Oct 2, 2022 | Syndicated blog

Content Delivery API – The Case of the Duplicate API Refresh Token

Creating a custom refresh provider to resolve the issues with duplicate tokens in the DXC The post Content Delivery API – The Case of the Duplicate...

David Lewis | Sep 29, 2022 | Syndicated blog