I'm new to Lunarforums.  A programmer by trade and lots of web experience.

All I want to do is logout of CPANEL.  When I do I expect that I am "logged out".  Why is it that in IE that I can hit the little "logout" icon in the upper right and I get this:

mscmotocross.com has been logged out. Thanks for using Cpanel!
Last login from: xxxxx.optonline.net
Click here to log in again

But it has no effect.  If I hit the back button I get a popup window asking me to put in my ID again but all I have to do is cancel it a few times and I have full access to CPANEL.    If I cancel my IE session then it will prompt me for a userid and password once again.  I am on 6.0 using all the Microsoft defaults.  Setting page refresh to "every time" has no effect.  If I manually refresh it has no effect.  And I have full access!  Can do whatever I want WITHOUT signing in AFTER I have logged off and got the above message.  I also went to CONTENT and blew out all my passwords and forms.  Tried killing all cookies and stored pages.  Went to "advanced" and told it not to accept stuff.  No impact.

Now, 6.2 Netscape is a somewhat better.  It works as it should.  However, if I hit the "click here to login again" then it gets itself into stupid mode just like IE and now when I logout (and get the above message) I can still hit the back button and get to CPANEL without relogging in.  

Now, I put up 1 website already and wish to purchase another account tonight.  But I have never seen anything like this before and it makes me think that Lunar security is second rate.  Please say this isn't so. Please say this is my fault and point out why.  I like Lunar and want to purchase a PREMIUM account for a business tonight !  But security is job #1.  So I await your guidance.

sickteatoo

Well, the whole reason this upset me so much is that with IE 5.5 I could hit logoff and then shut down the entire browser and then I could get back in anyway by cancelling the authentication requests.  Works the same way on secured sign in too (sirius).  I upgraded to IE 6.0 and at least it shuts down now if I kill the whole browser (thank god for that).

Clearly by hitting "logoff" on CPANEL I would expect the server to drop authentication.  It clearly has attempted to do that, as it now barks at me a few times with an authentication panel, but after 3 cancels I am in.  Something is dreadfully wrong.  This needs to be brought to someone's attention.  And you know, its nice to think you shut down your browser but if you have a million windows open its not so easy to be sure you got that "straggler" window.  Result:  you did not "LOGOFF" after you "LOGGED OFF" (and that's after Lunar sent you a nice clear message stating the success of your logoff explicitely).  And even on THAT PANEL I can hit the backbutton and get back in after cancelling authentication requests.

sickteatoo

I have to agree with jinyao.

I can hit the back button on any .htaccess authorization area I go to on the 'net and see where I was inside the authorized area.

A similar security problem happens when using webmail! I log out of Horde, quit the browser application. Fire up IE, look at history and click on mail inbox. The Horde login page pops up with my username and password already filled in. One click on the source reveals my pssword to the world!