Tickets :: [#2731] logout security

6.0.0-git

2021-01-18

Summary	logout security
Queue	Horde Base
Queue Version	3.0.5
Type	Bug
State	Resolved
Priority	3. High
Owners	Horde Developers (at)
Requester	dgehl (at) inverse (dot) ca
Created	2005-10-04 (5585 days ago)
Due
Updated	2005-10-31 (5558 days ago)
Assigned	2005-10-31 (5558 days ago)
Resolved	2005-10-31 (5558 days ago)
Milestone
Patch	No

2005-10-31 19:48:54	Chuck Hagenbuch	Comment #7 State ⇒ Resolved	Reply to this comment
Fix committed - thanks!

2005-10-31 15:49:07	Jan Schneider	Assigned to Horde Developers State ⇒ Assigned

2005-10-31 15:40:10	dgehl (at) inverse (dot) ca	Comment #6	Reply to this comment
By adding $result = @mysql_query('COMMIT', $this->_db); $result = @mysql_query('SET AUTOCOMMIT=1', $this->_db); at the end of the destroy function in /lib/Horde/SessionHandler/mysql.php (similar to the 'write' function) the bug disappears

2005-10-31 15:26:59	dgehl (at) inverse (dot) ca	Comment #5	Reply to this comment
I just tried horde-3.0.6 and I can still reproduce the bug. Switching from the mysql session handler to the pear session handler ($conf['sessionhandler']['type'] = 'sql';) makes it disappear though ... The MySQL version I'm using is 4.1.12

2005-10-25 16:11:46	dgehl (at) inverse (dot) ca	Comment #4	Reply to this comment
Does it work if you use the default session handler? Yes everything works fine using the default session handler. When I change to the mysql session handler $conf['sessionhandler']['type'] = 'mysql'; the problem re-appears

2005-10-25 12:37:22	Jan Schneider	Comment #3 State ⇒ Feedback	Reply to this comment
Does it work if you use the default session handler?

2005-10-04 20:44:52	dgehl (at) inverse (dot) ca	Comment #2	Reply to this comment
Same behavior happens when setting $conf['auth']['driver'] = 'http';

2005-10-04 17:36:08	dgehl (at) inverse (dot) ca	Comment #1 Type ⇒ Bug State ⇒ Unconfirmed Priority ⇒ 3. High Summary ⇒ logout security Queue ⇒ Horde Base	Reply to this comment
In Horde 3.0.5 the logout button seems to not close the session appropriatetly. After logging out of a Horde 3.0.5 session, I can access Horde bypassing completely the login screen (I don't need to login again). Accessing the URL 'http://localhost/horde' is sufficient to be presented with the list of messages. This bug is not present in Horde 3.0.4 Here are some more details about my configuration: - horde/config/conf.php $conf['session']['name'] = 'Horde'; $conf['session']['cache_limiter'] = 'nocache'; $conf['session']['timeout'] = 0; $conf['prefs']['driver'] = 'sql'; $conf['sessionhandler']['type'] = 'mysql'; $conf['auth']['checkip'] = true; $conf['auth']['params']['app'] = 'imp'; $conf['auth']['driver'] = 'application'; - php.ini session.use_cookies = 1 session.use_only_cookies = 1 session.cookie_lifetime = 0 Another piece of information which may be usefull: the horde_sessionhandler table contains after the logout still a huge amount of serialized variables (for this particular session), whereas in horde 3.0.4, the same table contains after the logout only hordeMessageStacks\|a:2:{s:10:"javascript";a:0:{}s:6:"status";N;}horde_language\|s:5:"en_US"; If I replace (after le logout) the contents of the horde 3.0.5 session in the horde_sessionhandler table with the one obtained in 3.0.4, I cannot any more access the system without first logging in again.