Fri, 10 Apr 2026 18:48:27 +0000 https://bugs.horde.org/ticket/2731 logout security In Horde 3.0.5 the logout button seems to not close the session appropriatetly. After logging out of a Horde 3.0.5 session, I can access Horde bypassing completely the login screen (I don't need to login again). Accessing the URL 'http://localhost/horde' is sufficient to be presented with the list of messages. This bug is not present in Horde 3.0.4 Here are some more details about my configuration: - horde/config/conf.php $conf['session']['name'] = 'Horde'; $conf['session']['cache_limiter'] = 'nocache'; $conf['session']['timeout'] = 0; $conf['prefs']['driver'] = 'sql'; $conf['sessionhandler']['type'] = 'mysql'; $conf['auth']['checkip'] = true; $conf['auth']['params']['app'] = 'imp'; $conf['auth']['driver'] = 'application'; - php.ini session.use_cookies = 1 session.use_only_cookies = 1 session.cookie_lifetime = 0 Another piece of information which may be usefull: the horde_sessionhandler table contains after the logout still a huge amount of serialized variables (for this particular session), whereas in horde 3.0.4, the same table contains after the logout only hordeMessageStacks|a:2:{s:10:"javascript";a:0:{}s:6:"status";N;}horde_language|s:5:"en_US"; If I replace (after le logout) the contents of the horde 3.0.5 session in the horde_sessionhandler table with the one obtained in 3.0.4, I cannot any more access the system without first logging in again. Tue, 04 Oct 2005 17:36:08 +0000 https://bugs.horde.org/ticket/2731#t12155 Same behavior happens when setting $conf['auth']['driver'] = 'http'; Tue, 04 Oct 2005 20:44:52 +0000 https://bugs.horde.org/ticket/2731#t12156 Does it work if you use the default session handler? Tue, 25 Oct 2005 12:37:22 +0000 https://bugs.horde.org/ticket/2731#t12981 > Does it work if you use the default session handler? Yes everything works fine using the default session handler. When I change to the mysql session handler $conf['sessionhandler']['type'] = 'mysql'; the problem re-appears Tue, 25 Oct 2005 16:11:46 +0000 https://bugs.horde.org/ticket/2731#t12993 I just tried horde-3.0.6 and I can still reproduce the bug. Switching from the mysql session handler to the pear session handler ($conf['sessionhandler']['type'] = 'sql';) makes it disappear though ... The MySQL version I'm using is 4.1.12 Mon, 31 Oct 2005 15:26:59 +0000 https://bugs.horde.org/ticket/2731#t13299 By adding $result = @mysql_query('COMMIT', $this->_db); $result = @mysql_query('SET AUTOCOMMIT=1', $this->_db); at the end of the destroy function in /lib/Horde/SessionHandler/mysql.php (similar to the 'write' function) the bug disappears Mon, 31 Oct 2005 15:40:10 +0000 https://bugs.horde.org/ticket/2731#t13301 Fix committed - thanks! Mon, 31 Oct 2005 19:48:54 +0000 https://bugs.horde.org/ticket/2731#t13309