when I logout from adminer, close my browser and then use a URL that leads to a schema overview directly, I am logged in automatically.
Steps to reproduce:
(1) Log in to adminer
(2) Copy the URL from the browser bar
(3) Press Logout
(4) Close your browser
(5) Re-open your browser
(6) Paste the URL from step (2) into the address bar
(7) You see the same page as before, even if you should be logged out
(expected 7) I see the login page
This even works if the browser in step 1-3 and the browser in step 5-7 run on different machines. It seems to be related to the user name in the URL. If it is not in one of the GET parameters, it does not work any longer.
This looks like a major security problem.
Log in to post a comment.