Print

[Matt2006]

I am running CPG 1.43 on Apache 2.0.55 on Windows XP, and I have setup 1 password protected album in the user gallery on a user account. The problem is that after I Logout of CPG, I can still view the contents of the protected album without entering a password. I still see the "password protected" pictures on the homepage, and by visiting user galleries, even though I am logged out, and have the status "Guest". This is a serious security problem, because if someone logs into a private album from a public computer and then logs out, anyone who uses that computer afterwards will still be able to view the private album. It seems that logging out does not clear the permission status for viewing the private album. I am currently testing Coppermine on my local server before putting it on the net. My software environment is, WinXP, Apache 2.0.55, PHP 4.4.2, MySQL 4.1.9-nt. Thanks in advance for your help.

[Joachim Müller]

post a link to the password protected album then (and of course the password as well) if you need support...

[Matt2006]

Hi GauGau,

Sorry if I didn't make it clear in my first post, but my test server is on my LAN and not accessible from the internet. But the demo gallery here exhibits the same behavior as my test installation. Once a user (registered or guest) enters the protected album's password, that browser will have access to the protected album until the browser is closed. There should be a way to restrict access to password protected albums to registered users only, while continuing to permit guest access to public albums. If that were done, the password protected album would only be visible to registered users with the password while they were logged in, and would be invisible to other people who use that browser after the registered user has logged out. Or, alternatively, the album password cookie could be given a very short lifespan, and be set to expire 15 minutes after the password is entered.

The current situation leaves "password protected private albums" wide open to everyone who uses the shared computer, until such time as the browser is closed. The current permission system does not afford the owner of the private album adequate control or protection in my opinion.

[Joachim Müller]

When browsing the password-protected album, the user login is irrelevant, as you can even allow non-logged in visitors of your site (guests) to access password-protected albums. Therefor, access to password-protected albums is stored in a client-sided cookie - there can be no other method. The cookie persists untill it gets deleted. When using a puplic internet terminal like an internet café, the user should be aware that it's mandatory for safety reasons to delete cookies, temporary internet files and history. This is a technical limitation, I can not see how this should be done in any other way.