Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Server-manager, no "logoff"?!
« previous next »
Pages: [1]   Go Down

Server-manager, no "logoff"?!

  • 4 Replies
  • 1245 Views

F.Briffod

Server-manager, no "logoff"?!
« on: February 01, 2002, 11:27:55 AM »
This is another security issue:
There is not "logoff" or "sign out" or something that automatically remove files from cache. So, if you close the window of your web "server-manager", open a new one and try to contact the server-manager again with http, no password are required!?!!
This could be dangerous because "everybody" could use your computer to access Server-manager!

Thanks.

F.Briffod
Logged

Luke Drumm

Re: Server-manager, no "logoff"?!
« Reply #1 on: February 01, 2002, 01:40:45 PM »
I can't speak for anybody else but my setup seems to work as expected.

If I log into server-manager, close down my browser (IE 6) and then attempt to get into server manager again, it prompts me for the password again.
This seems inline with any other session based password protection scheme.

PS: Please note that in the case of some browsers, all windows need to be closed before the browser will dispose of the login details.

Regards,
Luke
Logged

Charlie Brady

Re: Server-manager, no "logoff"?!
« Reply #2 on: February 01, 2002, 06:39:18 PM »
Luke Drumm wrote:

> If I log into server-manager, close down my browser (IE 6)
> and then attempt to get into server manager again, it prompts
> me for the password again.
> This seems inline with any other session based password
> protection scheme.

Perfectly correct. This is a limitation of the HTTP authentication system and there is nothing that we can do about it.
 
> PS: Please note that in the case of some browsers, all
> windows need to be closed before the browser will dispose of
> the login details.

To be safe, let's say "all browsers".

Regards

Charlie
Logged

Sergio

Re: Server-manager, no "logoff"?!
« Reply #3 on: February 01, 2002, 07:42:52 PM »
Sorry, but this is not a good solution. Using the basic authentication mechanism of the web server is asking for real trouble as it exposes the passwords in plain view (Yes there is https... but is it snot good enougth)

You should build a logon that issues a session cookie and checks for the cookie's validity. You should be able to do this as a cmponent that is attached to the administration cgi script and launch each functionality as a loadable package.

Then, logging off is as simple as erasing the cookie. The adminsitrator then doesn't need to turn off the browser.

Another advantage is that you can have one box performing authentication and use cookie withing a howle domain so an admin doesn't need to login into each box!

Sergio
Logged

technostruct

Server-manager, no "logoff"?!
« Reply #4 on: September 18, 2004, 12:04:48 AM »
Has anybody done anything for an add-on or found a link to a website regarding this capability:idea:??

This is something I would enjoy having myself.  I like the server authentication, the 128-bit SSL link, and I'd even more enjoy a "logoff" session cookie.

Anybody ?
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: Server-manager, no "logoff"?!