[EMAIL PROTECTED] wrote:
I just used the NEWGROUP from a popular software producer. they use "DNews" from NetWin. I found out that the system has a very bad security leak. For which usage is a "LOGOUT"-button? i think the session or token with the userdata should be manually destroyed. if you don�t log out (just close the browser) the data will expire in a defined time. so why isn�t the userdata destroyed then i manually log out??? i can just re-enter the whole site when i copy and paste the url from the site before.
this is not good done from NetWin. I think you should solve that. Why don�t you use server-side sessions? why do you use url-variables for userdata??? just pass the client a token!
Hi, thanks for reporting this, we will investigate and address the problem in our next dnewsweb build.
ChrisP.
