Hi Stefan,
thanks for this information.
I can not understand and reproduce this.
Each REST call requires an Authorization Token (JWT) to be sent in
the header. If this token is not available the API call will refuse
the connection, i.e. the authentication is done below the UI level
and also tested in some of the unit tests.
Additionally, when you press F5, the single page application is
loaded anew and it should forget all data - also the JWT.
You can see the behaviour, when you issue a request directly to
https://yourserver/audit, you will get:
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"error": {
"code": -401,
"message": "missing Authorization header"
},
"status": false
},
"version": "xyz"
}
If you don't get this message, the browser still has the
authorization header intact.
I only can assume that the JWT remains in the IEs browser cache and
gets "activated" and sent during the F5 presses.
Nevertheless I am curious, at which point the IE did not clear it.
So when can you see this behaviour? After having logged out? Can you
see it with a newly started IE?
Thanks a lot and kind regards
Cornelius
Am 28.02.2015 um 21:12 schrieb Stefan
Steuer:
and after I click at the resolver name in the audit
log I can see the configuration of the whole system - without
any login.
On Saturday, February 28, 2015 at 9:10:28 PM UTC+1, Stefan
Steuer wrote:
Hi Cornelius,
I found a big bug privacyidea.
When I open the url to my privacyidea control panel
and try to open the audit log without any login I'll get
the login screen. When I press F5 for two times - I'll
the the hole audit log.
--
You received this message because you are subscribed to the Google
Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/0d346363-bdc4-49a3-925c-8552eb0468e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.