This question about Authentication or Authorisation: Asked

Last User Remembered

-- WesleyJacobs - 21 Feb 2017

System is remembering the last user that logs in. LoginManager is set Foswiki::LoginManager::TemplateLogin

I can log in as my user, then have someone else login from another client, I click on a topic or refresh and "presto", I'm now that user from the other client.

-- WesleyJacobs - 21 Feb 2017

I've not seen foswiki behave this way. Are you accessing Foswiki via a portal or proxy that might be confusing things? There are a few configuration settings to check. (They are "expert" settings on Security and Authentication - Sessions tab:
{Sessions}{IDsInURLs} = 0
{Sessions}{MapIP2SID} = 0
{Sessions}{UseIPMatching} = 1
The MapIP2SID setting should be unchecked in configure. You could also uncheck the UseIPMatching setting. In a normal Cookies environment, the only way for one user to "steal" another user's identity would be to somehow hijack the FOSWIKISID or SFOSWIKISID cookie. The session ID is a new unique random string generated during login. Unless the browser presents that ID in the cookie, I can't see how a session could be stolen this way.

-- GeorgeClark - 21 Feb 2017
 

QuestionForm edit

Subject Authentication or Authorisation
Extension
Version Foswiki 2.1.3
Status Asked
Related Topics
Topic revision: r2 - 21 Feb 2017, GeorgeClark - This page was cached on 14 Jan 2018 - 08:00.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License