6.0.0-beta1
7/6/25

[#2731] logout security
Summary logout security
Queue Horde Base
Queue Version 3.0.5
Type Bug
State Resolved
Priority 3. High
Owners Horde Developers (at)
Requester dgehl (at) inverse (dot) ca
Created 10/04/2005 (7215 days ago)
Due
Updated 10/31/2005 (7188 days ago)
Assigned 10/31/2005 (7188 days ago)
Resolved 10/31/2005 (7188 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
10/31/2005 07:48:54 PM Chuck Hagenbuch Comment #7
State ⇒ Resolved
Reply to this comment
Fix committed - thanks!
10/31/2005 03:49:07 PM Jan Schneider Assigned to Horde DevelopersHorde Developers
State ⇒ Assigned
 
10/31/2005 03:40:10 PM dgehl (at) inverse (dot) ca Comment #6 Reply to this comment
By adding

         $result = @mysql_query('COMMIT', $this->_db);

         $result = @mysql_query('SET AUTOCOMMIT=1', $this->_db);



at the end of the destroy function in

/lib/Horde/SessionHandler/mysql.php

(similar to the 'write' function)



the bug disappears
10/31/2005 03:26:59 PM dgehl (at) inverse (dot) ca Comment #5 Reply to this comment
I just tried horde-3.0.6 and I can still reproduce the bug.



Switching from the mysql session handler to the pear session handler 
($conf['sessionhandler']['type'] = 'sql';) makes it disappear though ...



The MySQL version I'm using is 4.1.12


10/25/2005 04:11:46 PM dgehl (at) inverse (dot) ca Comment #4 Reply to this comment
Does it work if you use the default session handler?
Yes everything works fine using the default session handler.

When I change to the mysql session handler

$conf['sessionhandler']['type'] = 'mysql';

the problem re-appears
10/25/2005 12:37:22 PM Jan Schneider Comment #3
State ⇒ Feedback
Reply to this comment
Does it work if you use the default session handler?
10/04/2005 08:44:52 PM dgehl (at) inverse (dot) ca Comment #2 Reply to this comment
Same behavior happens when setting

$conf['auth']['driver'] = 'http';
10/04/2005 05:36:08 PM dgehl (at) inverse (dot) ca Comment #1
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ logout security
Queue ⇒ Horde Base
State ⇒ Unconfirmed
Reply to this comment
In Horde 3.0.5 the logout button seems to not close the session 
appropriatetly.

After logging out of a Horde 3.0.5 session, I can access Horde 
bypassing completely the login screen (I don't need to login again). 
Accessing the URL 'http://localhost/horde' is sufficient to be 
presented with the list of messages. This bug is not present in Horde 
3.0.4



Here are some more details about my configuration:



- horde/config/conf.php

$conf['session']['name'] = 'Horde';

$conf['session']['cache_limiter'] = 'nocache';

$conf['session']['timeout'] = 0;

$conf['prefs']['driver'] = 'sql';

$conf['sessionhandler']['type'] = 'mysql';

$conf['auth']['checkip'] = true;

$conf['auth']['params']['app'] = 'imp';

$conf['auth']['driver'] = 'application';



- php.ini

session.use_cookies = 1

session.use_only_cookies = 1

session.cookie_lifetime = 0



Another piece of information which may be usefull: the 
horde_sessionhandler table contains after the logout still a huge 
amount of serialized variables (for this particular session), whereas 
in  horde 3.0.4, the same table contains after the logout only

hordeMessageStacks|a:2:{s:10:"javascript";a:0:{}s:6:"status";N;}horde_language|s:5:"en_US";

If I replace (after le logout) the contents of the horde 3.0.5 session 
in the horde_sessionhandler table with the one obtained in 3.0.4, I 
cannot any more access the system without first logging in again.


Saved Queries