Re: Interesting "caching" problem - anyone using a Gmail "channel" in Ellucian's "Luminis" portal??

[Teresa Beamer <beamer () DENISON EDU>]

Our Helpdesk also reports that we have seen this problem here.  Currently,
we have added a blurb to our logout page letting people know they need to
"log out" from every logged in app not just the portal.


On Mon, Aug 4, 2014 at 11:52 AM, Flynn, Gary - flynngn <flynngn () jmu edu>
wrote:

> It sounds related to Google's "Stay Signed In" feature but clearing
> cookies should disable/clear that.
>
>
>
> ************************************************
>
> Have you logged into Gmail from a lab or library computer lately? If you
> didn`t sign out of Gmail or restart the computer when you were done, the
> next person who used the computer and visited the Gmail web site was
> automatically logged into your Gmail account. Even if you logged out of the
> computer. You may experience similar issues with other services you
> patronize. The Amazon site will remember who you are but fortunately will
> make you sign in again to view any information or submit any orders.
>
> This is all brought to you by the miracle of web cookies. They are bits of
> information about you that web sites store on your computer...or on a
> shared computer if that is what you happen to be using. When you visit the
> site again, the web site can retrieve them to remember information about
> you or even automatically log you in...even if someone else happens to be
> at the keyboard at the time. Google decided to make automatic login the
> default behavior.
>
> What to do?
>
> For Gmail, uncheck the box labeled "*Stay Signed In*" before logging in.
> If you forget to do that, you can still protect yourself. After you are
> done using the service, click your account photo or email address in the
> top right corner and select "sign out". (Taken from Google`s Gmail
> Security Checklist
> <https://support.google.com/mail/checklist/2986618?rd=1> step 9 - advice
> for shared computers).
>
> ************************************************************
>
>
>
> Maybe some inline code like the logout link someone else posted could be
> used to affect the "Stay Signed In" status.
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *SCHALIP, MICHAEL
> *Sent:* Monday, August 04, 2014 9:59 AM
>
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Interesting "caching" problem - anyone using a
> Gmail "channel" in Ellucian's "Luminis" portal??
>
>
>
> Hi Justin,
>
>
>
> Unfortunately – yes, we have tried this, (in Chrome and IE), but the
> problem appears to persist.  According to Google – this persistent cookie
> thing is an integral part of their own security model??
>
>
>
> M
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Jones, Justin
> *Sent:* Monday, August 4, 2014 7:55 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Interesting "caching" problem - anyone using a
> Gmail "channel" in Ellucian's "Luminis" portal??
>
>
>
> Michael-
>
>
>
> I personally have not seen this, but have you tried forcing the browser to
> clear all cached files when the browser is closed?  In Firefox it is
> located in Options -> Privacy -> Click the check box:  Clear history when
> Firefox closes.  In Chrome, I do not see anything like what is seen in
> Firefox, I will play with Chrome some more and report my findings.  In IE:
> Go to Internet Options -> Browsing History section under the General Tab
> and click Delete browsing history on exit.
>
>
>
> Hopefully this will fix the issue you are seeing with Luminis and Gmail.
>
>
>
> Thank you-
>
> Justin Jones
>
>
>
> Office of Research Administration
>
> Indiana University
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *SCHALIP, MICHAEL
> *Sent:* Monday, August 04, 2014 9:46 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Interesting "caching" problem - anyone using a
> Gmail "channel" in Ellucian's "Luminis" portal??
>
>
>
> Hi folks,
>
>
>
> We have an interesting, yet troubling, problem.  We use Ellucian's
> "Luminis" portal as part of our Banner system - and one of the "channels"
> that we have on our Luminis portal is directly to Gmail, because we
> outsourced our student email to Google about 2 years ago.  What we have
> discovered is:
>
> 1.      "Student A" walks up to an open kiosk system in our Admissions
> area and logs in to Luminis with their own credentials
>
> 2.      "Student A" clicks on the Gmail "channel" in the Luminis portal
> and checks their email
>
> 3.      "Student A" finishes reading their email and just closes the
> active window, (ie, clicks on the "X" in the upper right corner of the
> window) and walks away….
>
> 4.      Now - "Student B" walks up to the same open kiosk - they open a
> new browser window and is prompted to login to Luminis with their own
> credentials
>
> 5.      "Student B" clicks on the Gmail channel in the Luminis portal to
> check their email
>
> 6.      PROBLEM - what "Student B" finds is that they are NOT in their
> own email - in fact, "Student B" has full access to "Student A's" email,
> because the cookie left behind by Google with the first student has kept
> the session active, even once the browser is closed.
>
>
>
> ….and the browser doesn't seem to matter.  It works this way in IE, Chrome
> - all versions, apparently.
>
>
>
> We've run this problem all the way up to Ellucian *and* Google.  Google
> says everything is "working as designed" - there's no way to keep the
> cookie from remaining resident and active, as long as the system isn't
> rebooted.  The only thing that *appears* to work is making the student
> explicitly logout of the Luminis session when they are done…..but - since
> these systems are setup to be self-service kiosks, there's not always
> someone there to remind students to "log off before you leave", so we have
> students closing the window thinking that they've "logged off", but the
> next student steps up, logs in, and gets the previous student's email.
>
>
>
> The problem doesn't seem to occur with any other "channels" - and we've
> tried just about everything within the browser, with the Gmail settings,
> popup blockers, security settings on the OS, etc.  Ellucian seems to be
> very perplexed by our inquiries - seems that no one else is experiencing
> this except us….??
>
>
>
> Anyone else see or experience anything like this?
>
>
>
> Anyone else already *solve* a problem like this?
>
>
>
> Thanks for your time and consideration…..
>
>
>
> Michael Schalip
>
> Dir, ITS/Customer Support Services
>
> Central New Mexico Community College
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and
> no known threats were found.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and
> no known threats were found.



-- 
Teresa Beamer
Networks and Systems Administrator
Information Technology Services
Denison University