[Secure-testing-team] Bug#703138: davical: logout doesn't work when a LSID cookie is there
Christoph Anton Mitterer
calestyo at scientia.net
Sat Mar 16 02:12:02 UTC 2013
Package: davical
Version: 1.1.1-1
Severity: important
Tags: security upstream
Hi.
When one logs on the the admin pages using the "forget me not"
checkbox (which actually creates a LSID, aka long term session ID,
cookie) the logout button doesn't work anymore as expected.
As soon as one goes to a valid URI within the admin pages
(I think the CalDAV URI space should not be affected) one is
logged on immediately... and more "normal" sid cookies are generated.
IMHO, when the logout button is clicked, one should expect that
all LSID and SID cookies are removed immediately.
Marking this as security relevant, as the user may not see that the
logout didn't work.
Cheers,
Chris.
More information about the Secure-testing-team
mailing list