6.0.0-git
2021-01-18

[#2731] logout security
Summary logout security
Queue Horde Base
Queue Version 3.0.5
Type Bug
State Resolved
Priority 3. High
Owners Horde Developers (at)
Requester dgehl (at) inverse (dot) ca
Created 2005-10-04 (5585 days ago)
Due
Updated 2005-10-31 (5558 days ago)
Assigned 2005-10-31 (5558 days ago)
Resolved 2005-10-31 (5558 days ago)
Milestone
Patch No

History
2005-10-31 19:48:54 Chuck Hagenbuch Comment #7
State ⇒ Resolved
Reply to this comment
Fix committed - thanks!
2005-10-31 15:49:07 Jan Schneider Assigned to Horde DevelopersHorde Developers
State ⇒ Assigned
 
2005-10-31 15:40:10 dgehl (at) inverse (dot) ca Comment #6 Reply to this comment
By adding

         $result = @mysql_query('COMMIT', $this->_db);

         $result = @mysql_query('SET AUTOCOMMIT=1', $this->_db);



at the end of the destroy function in

/lib/Horde/SessionHandler/mysql.php

(similar to the 'write' function)



the bug disappears
2005-10-31 15:26:59 dgehl (at) inverse (dot) ca Comment #5 Reply to this comment
I just tried horde-3.0.6 and I can still reproduce the bug.



Switching from the mysql session handler to the pear session handler 
($conf['sessionhandler']['type'] = 'sql';) makes it disappear though ...



The MySQL version I'm using is 4.1.12


2005-10-25 16:11:46 dgehl (at) inverse (dot) ca Comment #4 Reply to this comment
Does it work if you use the default session handler?
Yes everything works fine using the default session handler.

When I change to the mysql session handler

$conf['sessionhandler']['type'] = 'mysql';

the problem re-appears
2005-10-25 12:37:22 Jan Schneider Comment #3
State ⇒ Feedback
Reply to this comment
Does it work if you use the default session handler?
2005-10-04 20:44:52 dgehl (at) inverse (dot) ca Comment #2 Reply to this comment
Same behavior happens when setting

$conf['auth']['driver'] = 'http';
2005-10-04 17:36:08 dgehl (at) inverse (dot) ca Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 3. High
Summary ⇒ logout security
Queue ⇒ Horde Base
Reply to this comment
In Horde 3.0.5 the logout button seems to not close the session 
appropriatetly.

After logging out of a Horde 3.0.5 session, I can access Horde 
bypassing completely the login screen (I don't need to login again). 
Accessing the URL 'http://localhost/horde' is sufficient to be 
presented with the list of messages. This bug is not present in Horde 
3.0.4



Here are some more details about my configuration:



- horde/config/conf.php

$conf['session']['name'] = 'Horde';

$conf['session']['cache_limiter'] = 'nocache';

$conf['session']['timeout'] = 0;

$conf['prefs']['driver'] = 'sql';

$conf['sessionhandler']['type'] = 'mysql';

$conf['auth']['checkip'] = true;

$conf['auth']['params']['app'] = 'imp';

$conf['auth']['driver'] = 'application';



- php.ini

session.use_cookies = 1

session.use_only_cookies = 1

session.cookie_lifetime = 0



Another piece of information which may be usefull: the 
horde_sessionhandler table contains after the logout still a huge 
amount of serialized variables (for this particular session), whereas 
in  horde 3.0.4, the same table contains after the logout only

hordeMessageStacks|a:2:{s:10:"javascript";a:0:{}s:6:"status";N;}horde_language|s:5:"en_US";

If I replace (after le logout) the contents of the horde 3.0.5 session 
in the horde_sessionhandler table with the one obtained in 3.0.4, I 
cannot any more access the system without first logging in again.


Saved Queries