Tickets :: [#9466] If ip/browser changes during Horde session its not possible to login again

6.0.0-beta1

7/4/25

Summary	If ip/browser changes during Horde session its not possible to login again
Queue	Horde Framework Packages
Queue Version	Git master
Type	Bug
State	Resolved
Priority	1. Low
Owners	slusarz (at) horde (dot) org
Requester	goncalo.queiros (at) portugalmail (dot) net
Created	12/22/2010 (5308 days ago)
Due
Updated	12/23/2010 (5307 days ago)
Assigned
Resolved	12/23/2010 (5307 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

12/23/2010 07:00:47 PM	goncalo (dot) queiros (at) portugalmail (dot) net	Comment #7	Reply to this comment
[Show Quoted Text - 12 lines][Hide Quoted Text] Horde is not an intrustion detection system. The session IP is meant to provide security (which it does), not a definitive determination that you have been compromised. Regardless, such investigation would almost certainly be performed by the admin, not the user. How would you inform user A in this case? You would have to create some sort of independent recording system solely for this feature. As mentioned above, this feature wasn't designed to for this - it is designed as a simple killswitch in case something fishy might be occurring but that's the extent of its usefulness. Agreed :)

12/23/2010 06:44:29 PM	Michael Slusarz	Comment #6	Reply to this comment
Horde is not an intrustion detection system. The session IP is meant to provide security (which it does), not a definitive determination that you have been compromised. Regardless, such investigation would almost certainly be performed by the admin, not the user. How would you inform user A in this case? You would have to create some sort of independent recording system solely for this feature. As mentioned above, this feature wasn't designed to for this - it is designed as a simple killswitch in case something fishy might be occurring but that's the extent of its usefulness.

12/23/2010 06:34:03 PM	goncalo (dot) queiros (at) portugalmail (dot) net	Comment #5	Reply to this comment
User A will be logged out with a 'session expired' message. I don't see what is wrong with this: granted that it is not as detailed as the session IP change message, but it is an accurate statement. The only issue is when user B does this multiple times, and user A will keep getting disconnected with the "Session Expired" message. This is a side (minor) problem, since user A account will not be compromised but still, user A won't realize that someone is actually trying to access is account.

12/23/2010 06:27:09 PM	Michael Slusarz	Comment #4	Reply to this comment
The only problem i see is this: - User A is a legitimate user that is logged in. - User B somehow got user's A cookies With this patch, user B will get the message stating that it seems is browser has changed, and user A will be logged out with no reason (at least he will not get none) User A will be logged out with a 'session expired' message. I don't see what is wrong with this: granted that it is not as detailed as the session IP change message, but it is an accurate statement.

12/23/2010 04:37:54 PM	goncalo (dot) queiros (at) portugalmail (dot) net	Comment #3	Reply to this comment
This solved the problem, but the session will get destroyed. The only problem i see is this: - User A is a legitimate user that is logged in. - User B somehow got user's A cookies With this patch, user B will get the message stating that it seems is browser has changed, and user A will be logged out with no reason (at least he will not get none) Thanks

12/23/2010 10:28:55 AM	Michael Slusarz	Assigned to Michael Slusarz State ⇒ Resolved

12/23/2010 10:28:11 AM	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git for this ticket: ~~Bug #9466~~: Fix clearing session for certain logout types The first time through login.php after logout, the session will still exist (even though is_auth might be false). This is the check we need to perform to ensure that the user is properly logged out. http://git.horde.org/horde-git/-/commit/a853a79beef2d73126caaa08fb8bff92e1d3a4a1

12/22/2010 10:20:47 PM	goncalo (dot) queiros (at) portugalmail (dot) net	Comment #1 Priority ⇒ 1. Low Type ⇒ Bug Summary ⇒ If ip/browser changes during Horde session its not possible to login again Queue ⇒ Horde Framework Packages Milestone ⇒ Patch ⇒ No State ⇒ Unconfirmed	Reply to this comment
If the user browser or ip changes while he's logged in, he will be logged out, and will not be able to login back again until he clears the browser cookies. Horde_Registry::checkExistingAuth seems to be the correct spot to clear the cookies, but im not sure which ones we need to clear