[Tickets #8331] Re: shall we need a token for logout?
bugs at horde.org
bugs at horde.org
Tue Jun 9 08:15:18 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/8331
------------------------------------------------------------------------------
Ticket | 8331
Updated By | dom.lalot at gmail.com
Summary | shall we need a token for logout?
Queue | Horde Framework Packages
Version | FRAMEWORK_3
Type | Enhancement
State | Rejected
Priority | 1. Low
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
dom.lalot at gmail.com (2009-06-09 04:15) wrote:
> By doing this your users can be logged out by someone who includes
> an image in an email pointing to a logout link. It's a denial of
> service type of attack.
Yes I know, but it's not properly speaking a denial of service. Should
be rare.
I'll be obliged to leave with my patch and some others colleagues
without tokens! (bad idea..) Even if a CAS SSO server is able to know
which service has been used, it will have no idea of the token to
logout a user. We can just say: for that service, use that URL.
There will be a better patch to furnish a list of servers which are
autorized to logout whithout token. What do you think about?
Dom
More information about the bugs
mailing list