6.0.0-beta6
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
4/10/26
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#7931] Left Logout button throws "malicious request"
*
Your Email Address
*
Spam protection
Enter the letters below:
.__..__.. .. ..___. | || ||_/ |\/| | |__\|__\| \| | |
Comment
> At the time that I posted my addition to this bug report, the answer to > > Jan's question was "yes". I was using the Memcache Session Handler (not > > Horde Memcache Session Handler) which was through the specification of > > it in the php.ini file. > > > > However, since that time, I have also been experimenting with the Horde > > MySQL session handler. I have also experienced the same behavior. > > However, I have been able to isolate the behavior a little more. > > > > I don't know whether it would be construed as a bug or just undesirable > > behavior which is understandable. > > > > Installed Software > > ------------------ > > > > * RHEL5 RPM Installations > > Apache 2.2 > > PHP 5.1.6 > > MySQL 5.0.45 > > > > * Horde Groupware Webmail edition (version 1.2.3) > > Configured to use Horde MySQL session handler > > > > Configuration > > ------------- > > * Database => MySQL > > * Authentication => Imp > > * Session Handler => Horde MySQL Session Handler > > > > Steps (run from a Linux desktop) > > ----- > > 1. Connect to Webmail and successfully authenticate. > > > > 2. Let the session remain idle gc_maxlifetime and have garbage collection > > take place. (So the session ID associated with Step #1 is removed from > > the horde_sessionhandler table). > > > > 3. Open another browser window, running on the SAME desktop, and log in > > using the SAME login. > > > > 4. Now click on the "Logout" button associated with the idle session > > established in Step #1. The browser will return a page stating > > > > "We cannot verify that this request was really sent by you. It > > could be a malicious request. If you intended to perform this > > action, you can retry it now." > > > > 5. If instead, you click on any other button, things continue as normal, > > but I think that it is operating off of the new session ID (and > > cookie) associated with the session established in Step #3. > > > > If I perform Step #3 from the SAME desktop and use a DIFFERENT login from > > that which was used in Step #1, the logout and all other operations work, > > meaning that the session (from Step #1) is automatically logged out. > > > > If I perform Step #3 from a different desktop and use the SAME login as in > > Step #1, the logout and all other operations also work. > > > > Does this make sense? I can try to further explain, if necessary. > > > > Please note: I have not gone back to my Memcache configuration to verify > > if the pattern that I have found with MySQL also applies to > > the Memcache scenario that I documented before. > >
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers