Able to view document even when session is timed out/closed

[ross@…]

[jira2trac import : issue created on June 7, 2006 8:57:47 AM CEST ​http://issues.cocoondev.org/browse/DSY-292 ]

It is possible to view document contents, iunder certain circumstances, even when the user has logged out or the session has timed out. Here's how to reproduce the problem:

• login as normal
  - view a page not visible to guests
  - edit the page
  - save the page
  - log out (or allow the session to timeout)
  - hit the back button so that you go to the previous edit page

You can now see the content of the document. The wiki prevents any changes being save, which is good. But a user with no login is able to view the contents of a page that should be private.

[paul]

[jira2trac import : comment created by bruno on June 7, 2006 9:36:32 AM CEST]

I hope you don't mind I change the priority to minor (which should read as 'normal', not implying that this issue is unimportant).

The reason one can go back is because the editor is controlled by an 'apple', which is a sort-of-session in itself, and these are not removed when the main session is removed (which is what happens when logging out). I think this could be easily changed in Cocoon.

This can of course be a problem when a computer is shared between multiple persons using the same user account, but then there's all sorts of stuff which you might not want other people to see, such as your browsing history. And when you clean up that, it wouldn't be possible to go back to that editing URL either.