cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Authentication or Authorisation: Asked

Last User Remembered

-- WesleyJacobs - 21 Feb 2017

System is remembering the last user that logs in. LoginManager is set Foswiki::LoginManager::TemplateLogin

I can log in as my user, then have someone else login from another client, I click on a topic or refresh and "presto", I'm now that user from the other client.

-- WesleyJacobs - 21 Feb 2017

I've not seen foswiki behave this way. Are you accessing Foswiki via a portal or proxy that might be confusing things? There are a few configuration settings to check. (They are "expert" settings on Security and Authentication - Sessions tab:
{Sessions}{IDsInURLs} = 0
{Sessions}{MapIP2SID} = 0
{Sessions}{UseIPMatching} = 1
The MapIP2SID setting should be unchecked in configure. You could also uncheck the UseIPMatching setting. In a normal Cookies environment, the only way for one user to "steal" another user's identity would be to somehow hijack the FOSWIKISID or SFOSWIKISID cookie. The session ID is a new unique random string generated during login. Unless the browser presents that ID in the cookie, I can't see how a session could be stolen this way.

-- GeorgeClark - 21 Feb 2017
 

QuestionForm edit

Subject Authentication or Authorisation
Extension
Version Foswiki 2.1.3
Status Asked
Related Topics
Topic revision: r2 - 21 Feb 2017, GeorgeClark - This page was cached on 19 Aug 2018 - 23:11.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy