this is a security "feature" related to the way the
imail webmessaging engine implements
cookies
and session management and has nothing to do with hksi's
interfaces per say (although
hksi
has done some nice work to beef up session
duration)
imail's default timeout on a webmessaging
cookied session is, i think, 12 minutes
that should give you enough information to do further
experiments
also, try copying the session cookie and url to a
entirely different system and see if you
can hijack the session - it won't work . .
.
Eric S. Williams
vCty, Inc.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Larry Pittman
Sent: Monday, December 03, 2001 10:44 AM
To: '[EMAIL PROTECTED]'
Subject: [imail] Security issue
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Larry Pittman
Sent: Monday, December 03, 2001 10:44 AM
To: '[EMAIL PROTECTED]'
Subject: [imail] Security issue
A user brought it to my attention that after he's been looking at mail, he can close the browser, then re-open it, check his history and click on a link that goes directly to the inbox, without logging in.I confirmed this to be true for me.Am I missing something here or is this a major security breach?-LarryPastors.com
