• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Maybe a potential security problem in 12.5?

Azurel

Azurel

Silver Pleskian
In older versions after restart browser I must re-login in plesk admin panel. In new plesk 12.5 I already logged in after restart browser. Who forgot logout and use a pc that public accessible have a potential security break.

Cookie PHPSESSID have this values:

expires 0
host "xx.xx.xx.xx"
isDomain false
isHttpOnly true
isSecure true
maxAge undefined
name "PHPSESSID"
path "/"
rawValue "xxx"
value "xxx"
 
PHPSESSID is always set as so called "Session cookie", i.e. there is no expiration date assigned to it:
Code: 
Set-Cookie: PHPSESSID=e17d5942de2140ae71d0cdfa827e3c41; path=/; secure; httponly
This behaviour does not change in Plesk 12.5.

User agent "sessions" are mentioned in RFC 6265:
If the server wishes the user agent to persist the cookie over multiple "sessions" (e.g., user agent restarts), the server can specify an expiration date in the Expires attribute.
Click to expand...
But this term is not defined strictly. User agent restart is just example. So this depends on a browser.

Actually,
  • Firefox does not remove "session cookies" on restart if you choose "When Firefox starts: Show my windows and tabs from last time" in general options, and the site tab is opened.
  • Chrome does not remove "session cookies" on restart if you choose "On startup Continue where you left off" in settings, even if the site tab was closed.

Maybe your browser changed it's behaviour approximately when you have updated to Plesk 12.5?
 
Last edited:
You must log in or register to reply here.

Similar threads

L
Migrate to Plesk on AWS from Plesk, cPanel or DirectAdmin
Replies
0
Views
5K
Lukas Hertig
L
A
How to add Centralized Slave DNS to Plesk Multi Server
Replies
0
Views
4K
Anton Akhtyamov
A
S
Horde authentication error
Replies
7
Views
5K
SabineW
S
Back
Top