Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#396 Auto-Login after logout?

4.0.3
closed-works-for-me
nobody
5
2014-03-23
2014-03-20
Alex
No

hey,

when I logout from adminer, close my browser and then use a URL that leads to a schema overview directly, I am logged in automatically.

Steps to reproduce:

(1) Log in to adminer
(2) Copy the URL from the browser bar
(3) Press Logout
(4) Close your browser
(5) Re-open your browser
(6) Paste the URL from step (2) into the address bar
(7) You see the same page as before, even if you should be logged out
(expected 7) I see the login page

This even works if the browser in step 1-3 and the browser in step 5-7 run on different machines. It seems to be related to the user name in the URL. If it is not in one of the GET parameters, it does not work any longer.

This looks like a major security problem.

Alex

Discussion

  • Jakub Vrána
    Jakub Vrána
    2014-03-23

    This happens by design if your password is empty. I couldn't reproduce it with non-empty password.

     
  • Jakub Vrána
    Jakub Vrána
    2014-03-23

    • status: open --> closed-works-for-me