Educause Security Discussion mailing list archives
Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal??
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Mon, 4 Aug 2014 12:24:15 -0500
<snark> because users are *so* good about reading and following instructions </snark> Sheesh! Did I say that? Nothing personal Teresa, but I couldn't resist... Sorry!! :-) Taking this out of the user's hands seems to be the best course of action, and the google logout iframe in the browser's home page seems to be the most foolproof course of action I've heard so far. - ken On 8/4/14 11:45 AM, Teresa Beamer wrote:
Our Helpdesk also reports that we have seen this problem here. Currently, we have added a blurb to our logout page letting people know they need to "log out" from every logged in app not just the portal. On Mon, Aug 4, 2014 at 11:52 AM, Flynn, Gary - flynngn <flynngn () jmu edu <mailto:flynngn () jmu edu>> wrote: It sounds related to Google's "Stay Signed In" feature but clearing cookies should disable/clear that. ************************************************ Have you logged into Gmail from a lab or library computer lately? If you didn`t sign out of Gmail or restart the computer when you were done, the next person who used the computer and visited the Gmail web site was automatically logged into your Gmail account. Even if you logged out of the computer. You may experience similar issues with other services you patronize. The Amazon site will remember who you are but fortunately will make you sign in again to view any information or submit any orders. This is all brought to you by the miracle of web cookies. They are bits of information about you that web sites store on your computer...or on a shared computer if that is what you happen to be using. When you visit the site again, the web site can retrieve them to remember information about you or even automatically log you in...even if someone else happens to be at the keyboard at the time. Google decided to make automatic login the default behavior. What to do? For Gmail, uncheck the box labeled "/Stay Signed In/" before logging in. If you forget to do that, you can still protect yourself. After you are done using the service, click your account photo or email address in the top right corner and select "sign out". (Taken from Google`s Gmail Security Checklist <https://support.google.com/mail/checklist/2986618?rd=1> step 9 - advice for shared computers). ************************************************************ Maybe some inline code like the logout link someone else posted could be used to affect the "Stay Signed In" status. *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *SCHALIP, MICHAEL *Sent:* Monday, August 04, 2014 9:59 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Re: [SECURITY] Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Hi Justin, Unfortunately – yes, we have tried this, (in Chrome and IE), but the problem appears to persist. According to Google – this persistent cookie thing is an integral part of their own security model?? M *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Jones, Justin *Sent:* Monday, August 4, 2014 7:55 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Re: [SECURITY] Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Michael- I personally have not seen this, but have you tried forcing the browser to clear all cached files when the browser is closed? In Firefox it is located in Options -> Privacy -> Click the check box: Clear history when Firefox closes. In Chrome, I do not see anything like what is seen in Firefox, I will play with Chrome some more and report my findings. In IE: Go to Internet Options -> Browsing History section under the General Tab and click Delete browsing history on exit. Hopefully this will fix the issue you are seeing with Luminis and Gmail. Thank you- Justin Jones Office of Research Administration Indiana University *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *SCHALIP, MICHAEL *Sent:* Monday, August 04, 2014 9:46 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* [SECURITY] Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Hi folks, We have an interesting, yet troubling, problem. We use Ellucian's "Luminis" portal as part of our Banner system - and one of the "channels" that we have on our Luminis portal is directly to Gmail, because we outsourced our student email to Google about 2 years ago. What we have discovered is: 1. "Student A" walks up to an open kiosk system in our Admissions area and logs in to Luminis with their own credentials 2. "Student A" clicks on the Gmail "channel" in the Luminis portal and checks their email 3. "Student A" finishes reading their email and just closes the active window, (ie, clicks on the "X" in the upper right corner of the window) and walks away…. 4. Now - "Student B" walks up to the same open kiosk - they open a new browser window and is prompted to login to Luminis with their own credentials 5. "Student B" clicks on the Gmail channel in the Luminis portal to check their email 6. PROBLEM - what "Student B" finds is that they are NOT in their own email - in fact, "Student B" has full access to "Student A's" email, because the cookie left behind by Google with the first student has kept the session active, even once the browser is closed. ….and the browser doesn't seem to matter. It works this way in IE, Chrome - all versions, apparently. We've run this problem all the way up to Ellucian *and* Google. Google says everything is "working as designed" - there's no way to keep the cookie from remaining resident and active, as long as the system isn't rebooted. The only thing that *appears* to work is making the student explicitly logout of the Luminis session when they are done…..but - since these systems are setup to be self-service kiosks, there's not always someone there to remind students to "log off before you leave", so we have students closing the window thinking that they've "logged off", but the next student steps up, logs in, and gets the previous student's email. The problem doesn't seem to occur with any other "channels" - and we've tried just about everything within the browser, with the Gmail settings, popup blockers, security settings on the OS, etc. Ellucian seems to be very perplexed by our inquiries - seems that no one else is experiencing this except us….?? Anyone else see or experience anything like this? Anyone else already *solve* a problem like this? Thanks for your time and consideration….. Michael Schalip Dir, ITS/Customer Support Services Central New Mexico Community College -- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and no known threats were found. -- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and no known threats were found. -- Teresa Beamer Networks and Systems Administrator Information Technology Services Denison University
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
Current thread:
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal??, (continued)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Jones, Justin (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? SCHALIP, MICHAEL (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Jones, Justin (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? SCHALIP, MICHAEL (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Jones, Justin (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Jones, Justin (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Panagis Syrigos (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? SCHALIP, MICHAEL (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Jones, Justin (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? William G. Thompson, Jr. (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Flynn, Gary - flynngn (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Teresa Beamer (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? Ken Connelly (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? SCHALIP, MICHAEL (Aug 04)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? David H Gunnells (Aug 11)
- Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal?? SCHALIP, MICHAEL (Aug 11)