Security breach when using 2 IE screens

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3291
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1372
Roger French	1315
mark.cook	1244

andrew

Veteran Member

Posts: 100

12/5/2009 1:40 AM

I have noticed that if I login to portal using my own login...then open another IE window and login using my ESS login (we still use LAUA...lock down for application login and have generic security class for ESS users)...my first login session is going - but the security used is from my second login.

For us...my security does not allow corporate access - but when I open that second IE browser window (staying logged into the first window) and login using ESS login (which, of course, has to allow corporate access so i can see my ESS info) - my first login then allows me corporate access.

Process.

1. open IE and login using regular username

2. open second IE and login using ESS login

3. go back to first window - security seems to use the security class assigned to my ESS login and Not my regular login.

Windows and SQL 2005 setup, LAUA security, websphere.

Any ideas.

John Henley

Posts: 3353

12/5/2009 2:19 PM

This is actually a fairly common (and hotly debated) browser issue. It is rooted in how browser sessions are created, and the sharing across browser sessions of cookies used to track the user.

My understanding is that if you use Ctrl-N from session 1 to create a new IE session 2, it is started in the same process as session 1, and therefore retains/shares the same cookies. (this sounds like the scenario you are describing.) However, if you actually launch a second instance of IE, it will maintain separate cookies.

Which method are you using to open the second IE window? Also, which IE version? I think this was how it worked in IE6, and then it was fixed in IE7, and then IE8 reverted back to IE6 behavior, but added the -nomerge switch to act like IE7.

andrew

Veteran Member

Posts: 100

12/5/2009 3:53 PM

I am on 8 - believe or not my PC runs Windows 7 and the only thing to freeze up so far is IE 8 (everything else is stable - not bad mr. gates).
Anyhow - process

1. open browser, login to portal
2. select file - new window
3. this will open duplicate page....log off this window
4. log back on (this is the second window) using ESS login
5. go back to very first window...and there you have it...open to the world.

I will have to test it in IE 7

Any "quick" solution \ suggestion.?
I was thinking of trying to put together a ESS role and start using LS9 for Ess logins (until we can get fully deployed in LS9) - would that work ? - maybe no if it is a IE cookie issue.

By the way, john - thanks for the reply, it is appreciated.

John Henley

Posts: 3353

12/5/2009 4:45 PM

Do a search on the -noMerge flag and see if that works for your scenario. Regardless...how this is really a security breach?

andrew

Veteran Member

Posts: 100

12/6/2009 5:15 PM

What occurs is that we have a user (accountant) login using their own login. They are secured from corporate payroll - but have HR11 access for other process levels.

They click on file - new window in IE - it brings up duplicate window...

they log off this windows and login to their ESS account (please note we have search box disabled for ESS.xml form)

then when they go back to their original screen and go to HR11 - they can bring up their own information in the HR 11 screen and other HR screens they have access to.

very strange

GregSl

Veteran Member

Posts: 38

12/7/2009 12:35 AM

I would work with ESS Security only, to see what an ESS account can access. ESS access has to be limited Only to the user on both HR11 and all relevant tables.

andrew

Veteran Member

Posts: 100

12/9/2009 5:54 PM

Lawson is pushing the issue to Microsoft and the way IE runs - parent - child relations.
Working on cleaning up the ESS security class we have for ESS access.
Also looking at removing the logout button in portal.