This question about Authentication or Authorisation: Asked
Last User Remembered
--
WesleyJacobs - 21 Feb 2017
System is remembering the last user that logs in.
LoginManager is set Foswiki::LoginManager::TemplateLogin
I can log in as my user, then have someone else login from another client, I click on a topic or refresh and "presto", I'm now that user from the other client.
--
WesleyJacobs - 21 Feb 2017
I've not seen foswiki behave this way. Are you accessing Foswiki via a portal or proxy that might be confusing things? There are a few configuration settings to check. (They are "expert" settings on Security and Authentication - Sessions tab:
{Sessions}{IDsInURLs} = 0
{Sessions}{MapIP2SID} = 0
{Sessions}{UseIPMatching} = 1
The MapIP2SID setting should be unchecked in configure. You could also uncheck the UseIPMatching setting. In a normal Cookies environment, the only way for one user to "steal" another user's identity would be to somehow hijack the FOSWIKISID or SFOSWIKISID cookie. The session ID is a new unique random string generated during login. Unless the browser presents that ID in the cookie, I can't see how a session could be stolen this way.
--
GeorgeClark - 21 Feb 2017