London Dev Meetup Rescheduled! Due to unavoidable reasons, the event has been moved to 21st May. Speakers remain the same—any changes will be communicated. Seats are limited—register here to secure your spot!

Shamrez Iqbal
Oct 7, 2008
  4635
(0 votes)

Security issue? - Editors remain logged in after logging out in Episerver 5 enterprise installations

Recently, after migrating an enterprise site from v4 to v5 I discovered a potential security issue in v5.

In v4 if an enterprise site had foo.com and bar.com then foo.com/mytemp.aspx?id=100 and bar.com/mytemp.aspx?id=100 would show the same page and i suppose this also was the reason that once you were logged in to a site all site were accesible in edit-mode. The same also applied to simple addresses for pages. I.e. foo.com/foo and bar.com/foo would result in the same page being shown.

In V5 the friendly url functionality is rewritten and the “cross-domain” addresses do not work. This has an interesting consequence when working in edit-mode. Whenl logging in to edit-mode for foo.com, and clicking on the node for bar.com this pops up the login box. For some of the editors this can be a really annoying thing because of their workflow with publshing to many sites in a short time.

But the real security issue is that after logging out from the edit mode interface, the editor will remain logged in on foo.com.

I have tested this behaviour on a test site running r1 sp3.

I suppose the only fix for this at the moment is awareness of this behaviour.

Oct 07, 2008

Comments

Please login to comment.
Latest blogs
Optimizely Product Recommendation Troubleshooting

In today’s fast-paced digital landscape, personalization is everything . Customers expect relevant, tailored experiences whenever they interact wit...

Sanjay Kumar | Apr 28, 2025

Natural Language Q&A in Optimizely CMS Using Azure OpenAI and AI Search

In Part 2, we integrated Azure AI Search with Azure Personalizer to build a smarter, user-focused experience in Optimizely CMS. We used ServiceAPI ...

Naveed Ul-Haq | Apr 25, 2025 |

Identifying Spike Requests and Issues in Application Insights

Sometimes within the DXP we see specific Azure App Instances having request spikes causing performance degredation and we need to investigate. I fi...

Scott Reed | Apr 25, 2025

Optimizely Frontend Hosting Beta – Early Thoughts and Key Questions

Optimizely has opened the waitlist for its new Frontend Hosting capability. I’m part of the beta programme, but my invite isn’t due until May, whil...

Minesh Shah (Netcel) | Apr 23, 2025