I. SYNOPSIS
Title: Session Token Remains Valid After Logout in IBM Lotus Domino Web Access
7.0.1
Release Date: 09/12/2006
Affected Application: IBM Lotus Domino Web Access 7.0.1
(versions prior to 7.0.1 were not tested but may still be vulnerable).
Nominal Severity: Low
Severity If Successfully
How is this a vulnerability? this is a common design trade-off of SSO tokens. In order to support the user opening and closing multiple applications and not requiring them to login again to individual applications (which is the point of SSO) they must invalidate the token in specific instances
.
-Dave
From: Trey Keifer
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 12, 2006 11:34
AM
To: Ferguson, David
Subject: Re: [Full-disclosure]
Session Token Remains Valid After Logout in IBM Lotus Domino Web Access
The problem I see is that the user explicitly chose to log
