Package: davical Version: 1.1.1-1 Severity: important Tags: security upstream
Hi. When one logs on the the admin pages using the "forget me not" checkbox (which actually creates a LSID, aka long term session ID, cookie) the logout button doesn't work anymore as expected. As soon as one goes to a valid URI within the admin pages (I think the CalDAV URI space should not be affected) one is logged on immediately... and more "normal" sid cookies are generated. IMHO, when the logout button is clicked, one should expect that all LSID and SID cookies are removed immediately. Marking this as security relevant, as the user may not see that the logout didn't work. Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
