[Tickets #8331] shall we need a token for logout?

Mon Jun 8 14:38:05 UTC 2009

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/8331
------------------------------------------------------------------------------
  Ticket             | 8331
  Created By         | dom.lalot at gmail.com
  Summary            | shall we need a token for logout?
  Queue              | Horde Framework Packages
  Version            | FRAMEWORK_3
  Type               | Enhancement
  State              | New
  Priority           | 1. Low
  Milestone          |
  Patch              | 1
  Owners             |
+New Attachment     | login.patch
------------------------------------------------------------------------------


dom.lalot at gmail.com (2009-06-08 10:38) wrote:

We are using a CAS SSO. To logout all user applications, we produce  
page with iframes pointing to logout URLs

As there is now a token for logout action, we can't log out users.

I patched login.php:

Shall we consider that we must protect the logout form. What can be an  
attack using logout form? For me: nothing..

root at ent1:/var/www/perso# diff -u -p horde/login.php.org horde/login.php

--- horde/login.php.org 2009-06-08 16:27:27.000000000 +0200
+++ horde/login.php     2009-06-08 16:26:51.000000000 +0200
@@ -60,12 +60,6 @@ if (($pos = strrpos($url_in, '#')) !== f
  }

  if ($logout_reason) {
-    if (Auth::getAuth()) {
-        $result = Horde::checkRequestToken('horde.logout',  
Util::getFormData('horde_logout_token'));
-        if (is_a($result, 'PEAR_Error')) {
-            exit($result->getMessage());
-        }
-    }

      $login_screen = $auth->getLoginScreen();
      if (Util::getFormData('nosidebar') &&







