This is the scoop… we have a very simple DSP page used by users to run some reports and the first time any user is requested by webMethods to enter their login & password for authentication, and this is good (as expected).
If the user closes the browser window and tries to login again by entering the same URL, the webMethods server requests again the login & password, and this is also good.
When the user receives this URL via email and they click on the link and again the first time they are required to enter login & password which is also good.
The problem is if the user receives the email notification with the URL and they click on the link and enter the login & password for the first time and then some time later they decide to close the browser and open it again they are NO LONGER required to enter login & password if the current session has not expired yet. The browser opens a new window without asking the login & passw again and this a security risk.
This is a security glitch and we would like to know if anyone out there had any tips on how to control this better.
Just for the records, our browser setup forces the browser’s temporary internet files folder (aka cache) to be remove when the browser window is closed (see IE options for more details).
Thanks in advance!
Here is our environment: webMethods IS 6.1 with TN 6.1 and IE 6.0 SP2