Details
-
Bug
-
Resolution: Fixed
-
High
-
0.4.4
-
None
Description
When a valid (but unauthorized) principal (user) of Crowd tries to login to the Administration Console after an (authorized) administrator has been logged in and then logged out on the same computer, this unauthorized principal will be granted access to the Administration Console during some time window (approx. 5 minutes).
Clearing all cookies in the browser when the authorized admin has logged out doesn't help to avoid the problem. Expiring the session in the Administration Console doesn't help either - the login will be successful again when performed within the time window.
Ironically if this unauthorized principal (when being logged in) surfs to Applications - Crowd - Config Test and provides his credentials there, he is (correctly) rejected ("Invalid verification").
Attachments
Issue Links
- is related to
-
CWD-216 Crowd session token should be unique for each user, directory, machine
- Closed