Version:v0.2.0
First, log in to the background normally and send query requests. Pay attention to cookies
Then click the exit login button. At this time, the back-end code does not delete the user's session, but just jumps to the login page. You can see that the requested data can still be obtained normally with the previous cookie. Then the attacker can log in to the system again with the help of the browser cache when the user exits.
Repair suggestion: when exiting the login, delete the user's session first, and then jump to the login page.
The text was updated successfully, but these errors were encountered:
Version:v0.2.0
First, log in to the background normally and send query requests. Pay attention to cookies
Then click the exit login button. At this time, the back-end code does not delete the user's session, but just jumps to the login page. You can see that the requested data can still be obtained normally with the previous cookie. Then the attacker can log in to the system again with the help of the browser cache when the user exits.
Repair suggestion: when exiting the login, delete the user's session first, and then jump to the login page.
The text was updated successfully, but these errors were encountered: