[Tickets #8331] Re: shall we need a token for logout?

bugs at horde.org bugs at horde.org
Tue Jun 9 08:15:18 UTC 2009


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/8331
------------------------------------------------------------------------------
  Ticket             | 8331
  Updated By         | dom.lalot at gmail.com
  Summary            | shall we need a token for logout?
  Queue              | Horde Framework Packages
  Version            | FRAMEWORK_3
  Type               | Enhancement
  State              | Rejected
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


dom.lalot at gmail.com (2009-06-09 04:15) wrote:

> By doing this your users can be logged out by someone who includes  
> an image in an email pointing to a logout link. It's a denial of  
> service type of attack.

Yes I know, but it's not properly speaking a denial of service. Should  
be rare.

I'll be obliged to leave with my patch and some others colleagues  
without tokens! (bad idea..) Even if a CAS SSO server is able to know  
which service has been used, it will have no idea of the token to  
logout a user. We can just say: for that service, use that URL.

There will be a better patch to furnish a list of servers which are  
autorized to logout whithout token. What do you think about?

Dom






More information about the bugs mailing list