Security issue? Logout of CMS Admin Console Doesn't "Take"

[postiffm]

This is strange: If I am in the admin console, I click logout. CMS Made Simple displays the login screen at https://www.fbcaa.org/cms/admin/login.php. Close that tab in Chrome. Open a new tab. Then if I visit
https://www.fbcaa.org/cms/admin it lets me right in to the admin console and I can start editing my site--without giving my username or password. I have reproduced this maybe 10 times. I don't know what other information I might share with you that would be helpful, but this behavior seems wrong.

This seems to have started when enabled SSL on my site. Or, it possibly started after I did a bunch of edits on my site using hte Admin search module. I would click on "found" things there, and new tabs would open for me to edit. I would close those and repeat the process. I probably opened many dozens of tabs in the admin console this way. Did that leave around some junk?

My CMS setup:
CMS Made Simple Install Information
CMSMS Version 2.1.6

Installed Modules
AdminSearch 1.0.2
CGBlog 1.14.4
CGExtensions 1.54.1
CGFeedMaker 1.0.20
CGSimpleSmarty 2.1.6
CMSContentManager 1.1.4
CMSForms 1.11.2
CMSMailer 6.2.14
CSSMenu 1.2.2
Captcha 0.5.5
CustomContent 1.10
DesignManager 1.1.1
FileManager 1.5.2
FormBuilder 0.8.1.6
FrontEndUsers 2.3.2
Gallery 2.3.1
JQueryTools 1.4.0.1
JSCookMenu .02
MicroTiny 2.0.3
ModuleManager 2.0.5
Navigator 1.0.3
News 2.50.6
PHPLayers 1.1
Printing 1.1.2
Search 1.50.2
SelfRegistration 1.10
SiteMapMadeSimple 1.2.8
ThemeManager 1.1.8
TinyMCE 2.8.4

CMS Made Simple Config Settings
php_memory_limit
max_upload_size 128000000
url_rewriting mod_rewrite
page_extension
query_var page
auto_alias_content true
locale
set_names true
timezone America/New_York
permissive_smarty false
debug false
root_url https://www.fbcaa.org/cms
ssl_url https://www.fbcaa.org/cms
root_path Success /home/fbcaaorg/public_html/cms (0755)
uploads_path Success /home/fbcaaorg/public_html/cms/uploads (0755)
uploads_url https://www.fbcaa.org/cms/uploads
image_uploads_path Success /home/fbcaaorg/public_html/cms/uploads/images (0755)
image_uploads_url https://www.fbcaa.org/cms/uploads/images
ssl_uploads_url https://www.fbcaa.org/cms/uploads

Performance and Tuning Information (recommended settings, but not required)
Allow Browser to Cache Pages Success On (True)
Browser Cache Expiry Period (minutes) Success 60
PHP 5.5+ Opcode Cache Success On (True)
Enable Smarty Caching Success On (True)
Do a Compilation Check Success Off (False)
Cache UDT Calls Success On (True)
Remove cache files that are older than the specified number of days Success On (True)

PHP Information
Current PHP Version (phpversion) Success 5.6.30
md5 function (md5_function) Success On (True)
JSON functions (json_function) Success On (True)
GD version (gd_version) Success 2
tempnam function (tempnam_function) Success On (True)
Magic quotes in runtime (magic_quotes_runtime) Success Off (False)
Is E_ALL enabled in error_reporting (E_ALL) Success
Is E_STRICT disabled in error_reporting (E_STRICT) Caution E_STRICT is enabled in the error_reporting
Is E_DEPRECATED disabled in error_reporting (E_DEPRECATED) Caution E_DEPRECATED is enabled
Testing for time difference in the file system (test_file_timedifference) Success No time difference found
Testing for time difference in the database (test_db_timedifference) Success No time difference found
Checking if the HTTPD process can create a file inside of a directory it created (create_dir_and_file) Success 1
PHP Effective Memory Limit (memory_limit) Success 768M
Maximum Execution Time (max_execution_time) Success 300
PHP register_globals (register_globals) Success Off (False)
PHP output_buffering (output_buffering) Success 4096
disable_functions in PHP (disable_functions) Success
PHP Open Basedir (open_basedir) Success
Test for remote URL (test_remote_url) Success Success
fsockopen: Connection ok! Success
fopen: Connection ok! Success
File uploads (file_uploads) Success On (True)
Maximum Post Size (post_max_size) Success 128M
Maximum Upload Size (upload_max_filesize) Success 128M
Session Save Path (session_save_path) Success /tmp (0700)
Sessions are allowed to use Cookies (session_use_cookies) Success On (True)
Basic XML (expat) support (xml_function) Success On (True)
Checking for the XMLReader class (xmlreader_class) Success On (True)
Test ini_set (check_ini_set) Success On (True)
Test for the curl library (curl) Success On
Test curl version (curlversion) Success version 7.36.0, minimum recommended version is 7.19.7

Server Information
Server Software (server_software) apache
Server API (server_api) cgi-fcgi
Server Operating System (server_os) linux 2.6.32-673.26.1.lve1.4.20.el6.x86_64 on x86_64
Server Database (server_db_type) mysql (mysql)
Server Database Version (server_db_version) Success 5.6.23
Check database access levels (server_db_grants) Success found a "grant all" statement that appears to be suitable

Permission Information
tmp Success /home/fbcaaorg/public_html/cms/tmp (0755)
tmp_cache Success /home/fbcaaorg/public_html/cms/tmp/cache (0755)
templates_c Success /home/fbcaaorg/public_html/cms/tmp/templates_c (0755)
modules Success /home/fbcaaorg/public_html/cms/modules (0755)
uploads Success /home/fbcaaorg/public_html/cms/uploads (0755)
File Creation Mask (umask) Success /home/fbcaaorg/public_html/cms/tmp/cache (0755)
config_file Success 0444

[velden]

I could not quickly reproduce this behavior while working on your site. Let's see if we can have a look while doing the other works.

[Rolf]

I suspect this is a third party plugin issue. CMSMS 2.1.6 has been downloaded thousands of times in the lasts months and this is the first report...

Check these module:
CMSForms 1.11.2
CSSMenu 1.2.2
CustomContent 1.10
JSCookMenu .02
PHPLayers 1.1

Do you use them? If not, disable and check again.
If you found the culprit deinstall and remove it...

[calguy1000]

I tried two separate installations and could not reproduce the issue.

[postiffm]

I cannot reproduce it on a second Windows desktop using the same browser.

[postiffm]

About the third-party modules you mention:

CMSForms 1.11.2
My Module Manager does not show this module so I have to delete some other way (?)

CSSMenu 1.2.2
Ditto.

CustomContent 1.10
I see it in Module Manager. It must be old cruft. I do use the Protected Content, but am I right to guess I can nuke CustomContent since its functionality is included within the newer version of CMSMS?

JSCookMenu .02
I don't see this in Module Manager.

PHPLayers 1.1
I don't see this in Module Manager.