go to PM inbox (tab1)
open new tab with bitcointalk (tab2)
logout in tab 2
go to tab 1, refresh page
you'll see warning+password prompt in tab 1
login again in tab 2
go back to tab 1, clock "home" link
watch url field, it will include PHPSESSID=aabbccddee112233445566778899
Feels like a potential security risk to me, might be hard to exploit but anyway...
Also, can anyone reproduce this, I've only tried on one computer, otherwise it might not be a problem.
Hi, this is not an security issue. The easiest way to replicate this is to disable cookies, which then the forum software tries to have your session id stored through a query string to maintain a stateful browsing experience.
If you have cookies enabled, the session id will be stored in the header "Cookie" which gets passed every request you make. From a security standpoint, this makes no difference as the session id is passed either way, whether you do or do not have cookies enabled.
Plus, your connection to the forum is encrypted, improbable for a man in the middle attack to steal your session id and login as you.