6.0.0-git
2019-03-21

[#8331] shall we need a token for logout?
Summary shall we need a token for logout?
Queue Horde Framework Packages
Queue Version FRAMEWORK_3
Type Enhancement
State Rejected
Priority 1. Low
Owners
Requester dom.lalot (at) gmail (dot) com
Created 2009-06-08 (3573 days ago)
Due
Updated 2009-06-09 (3572 days ago)
Assigned
Resolved 2009-06-08 (3573 days ago)
Milestone
Patch No

History
2009-06-09 14:16:56 Chuck Hagenbuch Comment #4 Reply to this comment
I'll be obliged to leave with my patch and some others colleagues
without tokens! (bad idea..) Even if a CAS SSO server is able to know
which service has been used, it will have no idea of the token to
logout a user. We can just say: for that service, use that URL.

There will be a better patch to furnish a list of servers which are
autorized to logout whithout token. What do you think about?
I'm sorry, I don't follow you at all.
2009-06-09 08:15:18 dom (dot) lalot (at) gmail (dot) com Comment #3 Reply to this comment
By doing this your users can be logged out by someone who includes an
image in an email pointing to a logout link. It's a denial of service
type of attack.
Yes I know, but it's not properly speaking a denial of service. Should 
be rare.



I'll be obliged to leave with my patch and some others colleagues 
without tokens! (bad idea..) Even if a CAS SSO server is able to know 
which service has been used, it will have no idea of the token to 
logout a user. We can just say: for that service, use that URL.



There will be a better patch to furnish a list of servers which are 
autorized to logout whithout token. What do you think about?



Dom
2009-06-08 15:22:56 Chuck Hagenbuch Comment #2
State ⇒ Rejected
Patch ⇒ No
Reply to this comment
By doing this your users can be logged out by someone who includes an 
image in an email pointing to a logout link. It's a denial of service 
type of attack.
2009-06-08 15:22:17 Chuck Hagenbuch Deleted Original Message
 
2009-06-08 14:38:04 dom (dot) lalot (at) gmail (dot) com Comment #1
Type ⇒ Enhancement
State ⇒ New
Priority ⇒ 1. Low
Summary ⇒ shall we need a token for logout?
Queue ⇒ Horde Framework Packages
Milestone ⇒
Patch ⇒ Yes
New Attachment: login.patch
Reply to this comment
We are using a CAS SSO. To logout all user applications, we produce 
page with iframes pointing to logout URLs



As there is now a token for logout action, we can't log out users.



I patched login.php:



Shall we consider that we must protect the logout form. What can be an 
attack using logout form? For me: nothing..



root@ent1:/var/www/perso# diff -u -p horde/login.php.org horde/login.php

--- horde/login.php.org 2009-06-08 16:27:27.000000000 +0200

+++ horde/login.php     2009-06-08 16:26:51.000000000 +0200

@@ -60,12 +60,6 @@ if (($pos = strrpos($url_in, '#')) !== f

  }



  if ($logout_reason) {

-    if (Auth::getAuth()) {

-        $result = Horde::checkRequestToken('horde.logout', 
Util::getFormData('horde_logout_token'));

-        if (is_a($result, 'PEAR_Error')) {

-            exit($result->getMessage());

-        }

-    }



      $login_screen = $auth->getLoginScreen();

      if (Util::getFormData('nosidebar') &&






Saved Queries