Well folks, I am not sure if this is a bug or a mod, maybe the great Snitz gurus can decide, but I'd rather not have this buried in the forums somewhere where it can't be found. Basically I noticed that if I was viewing an admin page and logged out, I was able to remain using the admin pages because the session was still active. I did not like this. I edit the sub ClearCookies() function in the file inc_functions.asp to remove all active sessions upon logout. The modification is the second line as commented. Please let me know what everyone thinks of this change. I can't wait to release my version of Snitz... It's almost done!!!
sub ClearCookies() Session.Abandon() ' #### Security Patch April 17 2001 ### if strSetCookieToForum = 1 then Response.Cookies(strUniqueID & "User").Path = strCookieURL else Response.Cookies(strUniqueID & "User").Path = "/" end if Response.Cookies(strUniqueID & "User") = "" 'Response.Cookies(strUniqueID & "User").Expires = dateadd("d", -2, strForumTimeAdjust) end sub
I'm running to implement it. I think it is a great idea that covers a litle security hole (that can be a big hole if you use a shared computer).
I think it wont have a big impact in the site I am building, because I have moved all files to different folders (different folders for forum files, links manager files, classifieds files, portal resources files, poll files, images, includes and admin files). And of course, admin folder is password protected.
In the latest Alpha this has been fixed. If you are at an Admin page and then logout you get redirected to admin_login.asp because the session "Approval" has been cleared.
This was added to sub ClearCookies() in inc_functions.asp:
Topic Locked
Posted - 17 April 2001 : 18:21:51
