Opened 15 years ago
Closed 15 years ago
#11763 closed (invalid)
Admin Interface - Login - Security Concern
| Reported by: | AmirHabibi | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.1 |
| Severity: | Keywords: | Login Security | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Users logging into admin interface and closing the browser without pressing the logout link would cause Django to automatically logs them in next that that the browsers points to the admin URL. This is a serious security issue if user account is accessed by using a public computer or users of an enterprise application where a user may use different computers to login to the account.
Note:
See TracTickets
for help on using tickets.
You can just set SESSION_EXPIRE_AT_BROWSER_CLOSE true or change some other session related settings? What you want here is to have an additional session system for the admin interface.