The sessions should actually expire after some time. Could you please post a screenshot of the permissions of the user you used to login? And which version of macOS (10.5.x?) did you use? And what exactly was still listed?
Thanks for the responses. I will post screenshots privately to the team.
Jim, yes, either this or the log in screen would be good. I will keep on checking my setup and if this happens again. Christian, I will keep you updated via support mail.
I guess I’d be looking to see some sort of risk assessment that quantified what could go wrong, impact, and probability before doing anything … I don’t see that with a STOP IT recommendation.
I am not servng my databases to anyone, also not serving off my network, and also not able to reproduce the specific issue reports, so my risk assessment is very low here.
An assessment would be dependent on those factors.
After finally getting around to check all suggested solutions, I found this:
When accessing the login screen of the server, you get to log in
However, if you access the URL after logging in (for example when hitting “reload” in the browser), the server checks for potentially saved logins in the macOS keychain!
Since I had another account with full access saved to my keychain, the web server then automatically accessed this login - despite having logged in as another user before!
So… if you are not saving your login credentials in the keychain, your server security should be fine - and if you do, you better don’t leave it unlocked or let anyone else use that browser…