Tickets :: [#2731] logout security

6.0.0-beta1

7/6/25

Summary	logout security
Queue	Horde Base
Queue Version	3.0.5
Type	Bug
State	Resolved
Priority	3. High
Owners	Horde Developers (at)
Requester	dgehl (at) inverse (dot) ca
Created	10/04/2005 (7215 days ago)
Due
Updated	10/31/2005 (7188 days ago)
Assigned	10/31/2005 (7188 days ago)
Resolved	10/31/2005 (7188 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

10/31/2005 07:48:54 PM	Chuck Hagenbuch	Comment #7 State ⇒ Resolved	Reply to this comment
Fix committed - thanks!

10/31/2005 03:49:07 PM	Jan Schneider	Assigned to Horde Developers State ⇒ Assigned

10/31/2005 03:40:10 PM	dgehl (at) inverse (dot) ca	Comment #6	Reply to this comment
By adding $result = @mysql_query('COMMIT', $this->_db); $result = @mysql_query('SET AUTOCOMMIT=1', $this->_db); at the end of the destroy function in /lib/Horde/SessionHandler/mysql.php (similar to the 'write' function) the bug disappears

10/31/2005 03:26:59 PM	dgehl (at) inverse (dot) ca	Comment #5	Reply to this comment
I just tried horde-3.0.6 and I can still reproduce the bug. Switching from the mysql session handler to the pear session handler ($conf['sessionhandler']['type'] = 'sql';) makes it disappear though ... The MySQL version I'm using is 4.1.12

10/25/2005 04:11:46 PM	dgehl (at) inverse (dot) ca	Comment #4	Reply to this comment
Does it work if you use the default session handler? Yes everything works fine using the default session handler. When I change to the mysql session handler $conf['sessionhandler']['type'] = 'mysql'; the problem re-appears

10/25/2005 12:37:22 PM	Jan Schneider	Comment #3 State ⇒ Feedback	Reply to this comment
Does it work if you use the default session handler?

10/04/2005 08:44:52 PM	dgehl (at) inverse (dot) ca	Comment #2	Reply to this comment
Same behavior happens when setting $conf['auth']['driver'] = 'http';

10/04/2005 05:36:08 PM	dgehl (at) inverse (dot) ca	Comment #1 Priority ⇒ 3. High Type ⇒ Bug Summary ⇒ logout security Queue ⇒ Horde Base State ⇒ Unconfirmed	Reply to this comment
In Horde 3.0.5 the logout button seems to not close the session appropriatetly. After logging out of a Horde 3.0.5 session, I can access Horde bypassing completely the login screen (I don't need to login again). Accessing the URL 'http://localhost/horde' is sufficient to be presented with the list of messages. This bug is not present in Horde 3.0.4 Here are some more details about my configuration: - horde/config/conf.php $conf['session']['name'] = 'Horde'; $conf['session']['cache_limiter'] = 'nocache'; $conf['session']['timeout'] = 0; $conf['prefs']['driver'] = 'sql'; $conf['sessionhandler']['type'] = 'mysql'; $conf['auth']['checkip'] = true; $conf['auth']['params']['app'] = 'imp'; $conf['auth']['driver'] = 'application'; - php.ini session.use_cookies = 1 session.use_only_cookies = 1 session.cookie_lifetime = 0 Another piece of information which may be usefull: the horde_sessionhandler table contains after the logout still a huge amount of serialized variables (for this particular session), whereas in horde 3.0.4, the same table contains after the logout only hordeMessageStacks\|a:2:{s:10:"javascript";a:0:{}s:6:"status";N;}horde_language\|s:5:"en_US"; If I replace (after le logout) the contents of the horde 3.0.5 session in the horde_sessionhandler table with the one obtained in 3.0.4, I cannot any more access the system without first logging in again.