Resolved Maybe a potential security problem in 12.5?

[Azurel]

In older versions after restart browser I must re-login in plesk admin panel. In new plesk 12.5 I already logged in after restart browser. Who forgot logout and use a pc that public accessible have a potential security break.

Cookie PHPSESSID have this values:

expires 0
host "xx.xx.xx.xx"
isDomain false
isHttpOnly true
isSecure true
maxAge undefined
name "PHPSESSID"
path "/"
rawValue "xxx"
value "xxx"

 

[AndreyZ]

PHPSESSID is always set as so called "Session cookie", i.e. there is no expiration date assigned to it:

Set-Cookie: PHPSESSID=e17d5942de2140ae71d0cdfa827e3c41; path=/; secure; httponly

This behaviour does not change in Plesk 12.5.

User agent "sessions" are mentioned in RFC 6265:

If the server wishes the user agent to persist the cookie over multiple "sessions" (e.g., user agent restarts), the server can specify an expiration date in the Expires attribute.

But this term is not defined strictly. User agent restart is just example. So this depends on a browser.

Actually,

• Firefox does not remove "session cookies" on restart if you choose "When Firefox starts: Show my windows and tabs from last time" in general options, and the site tab is opened.
• Chrome does not remove "session cookies" on restart if you choose "On startup Continue where you left off" in settings, even if the site tab was closed.

Maybe your browser changed it's behaviour approximately when you have updated to Plesk 12.5?