[Tickets #2731] NEW: logout security
bugs@bugs.horde.org
bugs at bugs.horde.org
Tue Oct 4 10:36:09 PDT 2005
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=2731
-----------------------------------------------------------------------
Ticket | 2731
Created By | dgehl at inverse.ca
Summary | logout security
Queue | Horde Base
Version | 3.0.5
State | Unconfirmed
Priority | 3. High
Type | Bug
Owners |
-----------------------------------------------------------------------
dgehl at inverse.ca (2005-10-04 10:36) wrote:
In Horde 3.0.5 the logout button seems to not close the session
appropriatetly.
After logging out of a Horde 3.0.5 session, I can access Horde bypassing
completely the login screen (I don't need to login again). Accessing the URL
'http://localhost/horde' is sufficient to be presented with the list of
messages. This bug is not present in Horde 3.0.4
Here are some more details about my configuration:
- horde/config/conf.php
$conf['session']['name'] = 'Horde';
$conf['session']['cache_limiter'] = 'nocache';
$conf['session']['timeout'] = 0;
$conf['prefs']['driver'] = 'sql';
$conf['sessionhandler']['type'] = 'mysql';
$conf['auth']['checkip'] = true;
$conf['auth']['params']['app'] = 'imp';
$conf['auth']['driver'] = 'application';
- php.ini
session.use_cookies = 1
session.use_only_cookies = 1
session.cookie_lifetime = 0
Another piece of information which may be usefull: the horde_sessionhandler
table contains after the logout still a huge amount of serialized variables
(for this particular session), whereas in horde 3.0.4, the same table
contains after the logout only
hordeMessageStacks|a:2:{s:10:"javascript";a:0:{}s:6:"status";N;}horde_langua
ge|s:5:"en_US";
If I replace (after le logout) the contents of the horde 3.0.5 session in
the horde_sessionhandler table with the one obtained in 3.0.4, I cannot any
more access the system without first logging in again.
More information about the bugs
mailing list