We are using AM to SSO into our web portal (Portal), and subsequently access another website (F-Website) within an iframe of Portal.
The problem is that we can't kill F-Website's session when a user logs out of the portal, but does not close the browser. So, if this happens on a shared computer, and another person goes directly to an inner page of F-Website, they now have access to the previous user's account. I'll break it down into a step by step scenerio:
On a shared computer:
- User "A" logs into Portal.
- User "A" navigates to F-Website within an iframe of Portal.
- User "A" logs out of Portal (but does not close the browser).
- User "B" logs directly into a F-Website inner page (bypassing a login screen).
- User "B" will then have access to User "A"s F-Website account.
Note: If User "B" accesses F-Website through Portal, User "A"s session data is destroyed before User "B" gets into it. We could do this because we can pass the user name from Portal to F-Website so that it can compare the session username to the passed username, and see they are different. But, if User "B" goes directly into F-Website, this isn't possible.
This scenerio is unlikely, but still possible. So, we need to know if there's a built-in method to help with this issue.
Possible fix: Add a hidden frame in the Access Manager "logged-out" page that opens F-Website's logout page. Would this hack work without side effects? Is there a better method?
Thanks,
Anders
framed website session security concern
Threaded Mode
