Summary | logout security |
Queue | Horde Base |
Queue Version | 3.0.5 |
Type | Bug |
State | Resolved |
Priority | 3. High |
Owners | Horde Developers (at) |
Requester | dgehl (at) inverse (dot) ca |
Created | 10/04/2005 (7215 days ago) |
Due | |
Updated | 10/31/2005 (7188 days ago) |
Assigned | 10/31/2005 (7188 days ago) |
Resolved | 10/31/2005 (7188 days ago) |
Github Issue Link | |
Github Pull Request | |
Milestone | |
Patch | No |
State ⇒ Resolved
State ⇒ Assigned
$result = @mysql_query('COMMIT', $this->_db);
$result = @mysql_query('SET AUTOCOMMIT=1', $this->_db);
at the end of the destroy function in
/lib/Horde/SessionHandler/mysql.php
(similar to the 'write' function)
the bug disappears
Switching from the mysql session handler to the pear session handler
($conf['sessionhandler']['type'] = 'sql';) makes it disappear though ...
The MySQL version I'm using is 4.1.12
When I change to the mysql session handler
$conf['sessionhandler']['type'] = 'mysql';
the problem re-appears
State ⇒ Feedback
$conf['auth']['driver'] = 'http';
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ logout security
Queue ⇒ Horde Base
State ⇒ Unconfirmed
appropriatetly.
After logging out of a Horde 3.0.5 session, I can access Horde
bypassing completely the login screen (I don't need to login again).
Accessing the URL 'http://localhost/horde' is sufficient to be
presented with the list of messages. This bug is not present in Horde
3.0.4
Here are some more details about my configuration:
- horde/config/conf.php
$conf['session']['name'] = 'Horde';
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['timeout'] = 0;
$conf['prefs']['driver'] = 'sql';
$conf['sessionhandler']['type'] = 'mysql';
$conf['auth']['checkip'] = true;
$conf['auth']['params']['app'] = 'imp';
$conf['auth']['driver'] = 'application';
- php.ini
session.use_cookies = 1
session.use_only_cookies = 1
session.cookie_lifetime = 0
Another piece of information which may be usefull: the
horde_sessionhandler table contains after the logout still a huge
amount of serialized variables (for this particular session), whereas
in horde 3.0.4, the same table contains after the logout only
hordeMessageStacks|a:2:{s:10:"javascript";a:0:{}s:6:"status";N;}horde_language|s:5:"en_US";
If I replace (after le logout) the contents of the horde 3.0.5 session
in the horde_sessionhandler table with the one obtained in 3.0.4, I
cannot any more access the system without first logging in again.