If you have an account with Lloyds Bank, and you log on through their website at http://ift.tt/2qahlsd, when opening a separate window on the same website in the same browser, such parallel page does not get logged in as well, and you are required to log in again.
The questions are:
1) At high level, how is it possible to implement such feature in a web product? If they would use cookies to cache the authentication, then it should not matter: the second page should be logged in as straight in, because the browser is sending the same cookies.
2) What are the security flaws behind allowing parallel pages to be opened and logged on in websites?
Aucun commentaire:
Enregistrer un commentaire