PostNuke

Flexible Content Management System

News

Cookie Implemetation posts a high security risk

Contributed by Those are very valid on Aug 03, 2001 - 10:53 PM




I am frequently logging on this website in the office and I remembered that I had logged yesterday and had changed the theme.












To cut this story short, I think that the customization of postnuke is very cookie dependent. This posts a high security risk especially for an active user. An anonymous user that accidently bumped on this website that was visited by a registered user who previously used the machine, will have "all" the priviledges of the registered user. This will affect user credibility and the worst thing that might happen is that the account be exploited like posting spams.












Maybe, to solve this problem, one could implement a user time out in of case prolong inactivity is detected. One shortcomming of this approach is that there are many webmaster who just logged and stay on the site as long as they are online.












These development community is talented and solid so I think we can find a solution to this problem.












xorprime
863