Bug #9285 Bypass Log in screen
Submitted: 18 Mar 2005 18:55 Modified: 18 Mar 2005 19:33
Reporter: Vincent Iovino Email Updates:
Status: Not a Bug Impact on me:
None 
Category:Eventum Severity:S1 (Critical)
Version:1.4 OS:Linux (Fedora)
Assigned to: Joao Prado Maia CPU Architecture:Any

[18 Mar 2005 18:55] Vincent Iovino 
Description:
There is a security violation in Eventum. Opening a saved Advanced Search URL bypasses Eventum Log In page.

How to repeat:
1) Run an advanced search 
2) Save the advanced search URL in your browser favorites
3) Log off and or close all browsers
4) Log on and or open a new browser
5) Open saved advanced search URL in favorites
6) Page opens without a log-in process.

Suggested fix:
Check for current log in on advanced search php page.
[18 Mar 2005 19:33] Joao Prado Maia 
Vincent,

This is not a bug. The login cookie is kept for 8 hours, so you will still be able to open pages even after closing your browser or rebooting your machine. If you want to avoid this, click 'Logout', or change the expiration date on your configuration file (/path-to-eventum/config.inc.php; constant APP_COOKIE_EXPIRE) to something shorter.

--Joao