Possible Flaw in Advanced Webserver Login routine

In both the nahttps_pd and nahttp_pd example programs, I think I noticed a flaw: if you log in once correctly on these sample applications (Netsilicon/sysadm), and then close your web browser, and try to log in again, using the “Netsilicon” username, and ANY password or no password, the program lets you log in. Has anyone else noticed this problem? The basic webserver doesn’t seem to have this flaw, only the advanced webserver. I am using Net+OS 6.0 GNU on the connectme and the raven debugger.

Brian,I’ve noticed similar issues - not pursued it because we don’t need security in our apps (its the authorised users who are the main problem!). Certainly it seemed that, once you had logged in successfully, you were there for evermore. Steve

I no longer have access to my code, as I am no longer employed by the same company, however I think I remember some of what I did, but it was really just a very cheap work-around: Since I only had 1 administrative user, I manually kept track of the time the administrator last loaded a page. Then I set up a thread that, once a second, compared the current time to the time the administrator last loaded a page, to see if it was beyond the time limit. If it was, then I logged the administrator out the same way I would if they clicked a “log out now” type button (some system call like RpDeleteUser() ). I know that’s not much to go on without the code, but I hope that helps you.

I have also noticed this problem and a few others with the AWS API. It seems as though users placed in certain security realms do not log out correctly either. I have a “guest” account with realm 1 access and an “admin” account with realm 1 & 8 access. The guest account works fine but the admin account mysteriously logs back in even after checking to see that the account was successfully logged out. Any help would be greatly appreciated.

I had exactly the same problem with a Realm 1&2 user. After consulting with tech support, I finally found out that if you switch to using Digest authentication, “admin” type accounts can be logged out. However, the same account still would not time out correctly using the API calls for that purpose. I had to construct a work-around for that.

Hi Brian Szuter, would you be interested in sharing your work-around!? Best regards, Mats Eklund