Under certain circumstances, anonymous users are sometimes able to see pages which they should not have access to. There could be security implications if session data can be accessed out of context.
1. Prepare test eZ Publish 5.4 with demo content, fully updated (latest version is 5.4.9). Set the admin user to admin/admin;
2. Enable HTTP cache in webserver:
3. Enable HTTP cache in eZ Publish, as detailed in the documentation: https://doc.ez.no/display/DEVELOPER/HTTP+Cache#HTTPCache-CacheandExpirationConfiguration
4. Go to the "eng" frontend siteaccess, and login as admin;
5. Go to the "Partner" section, and click on one of the existing logos ("eZ Logo Black" or "eZ Logo White"). In my test, I went to http://example.com/eng/Partner/eZ-Logo-Black;
6. Run garbage collection. For practical reasons, a valid alternative is to manually delete the relevant session file. To do this, check your cookies on the browser console, and make a note of the value of the eZSESSID cookie (the plain eZSESSID key). Then look into /var/lib/php/sessions/ (or find where your OS stores sessions):
You should see a session id that matches your key value. Delete that session:
7. Quickly go to http://example.com/eng/Partner/eZ-Logo-Black. This has to be done within 60 seconds because that's the value of the HTTP cache expiration, as set in step #3 (feel free to adjust that for convenience of course).
- Expected behavior: I should be immediately logged out and asked to log back in
- Actual behavior: I am not logged out until the HTTP cache expires (60 seconds in this test).