Tickets :: Comment on [#2731] logout security

* Your Email Address
* Spam protection	Enter the letters below: . ..__ . . __ .__. \|_/ [ __\|_/ / `\| \| \| \[_./\| \\__.\|__\
Comment	> In Horde 3.0.5 the logout button seems to not close the session > appropriatetly. > > After logging out of a Horde 3.0.5 session, I can access Horde > bypassing completely the login screen (I don't need to login again). > Accessing the URL 'http://localhost/horde' is sufficient to be > presented with the list of messages. This bug is not present in Horde > 3.0.4 > > > > Here are some more details about my configuration: > > > > - horde/config/conf.php > > $conf['session']['name'] = 'Horde'; > > $conf['session']['cache_limiter'] = 'nocache'; > > $conf['session']['timeout'] = 0; > > $conf['prefs']['driver'] = 'sql'; > > $conf['sessionhandler']['type'] = 'mysql'; > > $conf['auth']['checkip'] = true; > > $conf['auth']['params']['app'] = 'imp'; > > $conf['auth']['driver'] = 'application'; > > > > - php.ini > > session.use_cookies = 1 > > session.use_only_cookies = 1 > > session.cookie_lifetime = 0 > > > > Another piece of information which may be usefull: the > horde_sessionhandler table contains after the logout still a huge > amount of serialized variables (for this particular session), whereas > in horde 3.0.4, the same table contains after the logout only > > hordeMessageStacks\|a:2:{s:10:"javascript";a:0:{}s:6:"status";N;}horde_language\|s:5:"en_US"; > > If I replace (after le logout) the contents of the horde 3.0.5 > session in the horde_sessionhandler table with the one obtained in > 3.0.4, I cannot any more access the system without first logging in > again. > >
Attachment
Watch this ticket

Saved Queries