BOY SCOUTS OF AMERICA

Scouting Forums

Logout does not invalidate session

If you login to Scoutbook, navigate to forums, go back to scoutbook, logout, then login as someone else, then go to forums again, you will still be logged into the forums as the previous user.

This is true for navigating to my.scouting as well. I could get into the previous user’s my.scouting account.

I was also able to login to my.scouting as user B, then type in the scoutbook url, and get access to user A"s previous session.

This is a serious security risk.

We discovered this issue earlier this week. The developers are working on a fix so when you log out of Scoutbook you will also be logged out of Discourse. You will NOT be logged out of Discourse if your Scoutbook session times out.

It is an issue with Discourse, my.scouting. and Scoutbook, in any direction of navigation.

A logout on any one of them should invalidate the session on all of them.

In the meantime, anyone using scoutbook on a shared computer/device needs to take the time to log out of all three sites if they want to protect their account.

I believe that is the plan but a timeout from one will not cause the others to log out as they don’t share activity information.