thanks for this information.
I can not understand and reproduce this.
Each REST call requires an Authorization Token (JWT) to be sent in the
header. If this token is not available the API call will refuse the
connection, i.e. the authentication is done below the UI level and also
tested in some of the unit tests.
Additionally, when you press F5, the single page application is loaded
anew and it should forget all data - also the JWT.
You can see the behaviour, when you issue a request directly to
https://yourserver/audit, you will get:
“message”: “missing Authorization header”
If you don’t get this message, the browser still has the authorization
I only can assume that the JWT remains in the IEs browser cache and gets
"activated" and sent during the F5 presses.
Nevertheless I am curious, at which point the IE did not clear it.
So when can you see this behaviour? After having logged out? Can you see
it with a newly started IE?
Thanks a lot and kind regards
CorneliusAm 28.02.2015 um 21:12 schrieb Stefan Steuer:
and after I click at the resolver name in the audit log I can see the
configuration of the whole system - without any login.
On Saturday, February 28, 2015 at 9:10:28 PM UTC+1, Stefan Steuer wrote:
Hi Cornelius, I found a big bug privacyidea. When I open the url to my privacyidea control panel and try to open the audit log without any login I'll get the login screen. When I press F5 for two times - I'll the the hole audit log.
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to firstname.lastname@example.org
To post to this group, send email to email@example.com
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.