[Tickets #7931] Re: Left Logout button throws "malicious request"
bugs at horde.org
bugs at horde.org
Thu Jun 11 15:17:07 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/7931
------------------------------------------------------------------------------
Ticket | 7931
Updated By | bhalsema at purdue.edu
Summary | Left Logout button throws "malicious request"
Queue | Horde Base
Version | 3.3.3
Type | Bug
State | Feedback
Priority | 1. Low
Milestone |
Patch |
Owners | Horde Developers
------------------------------------------------------------------------------
bhalsema at purdue.edu (2009-06-11 11:17) wrote:
At the time that I posted my addition to this bug report, the answer to
Jan's question was "yes". I was using the Memcache Session Handler (not
Horde Memcache Session Handler) which was through the specification of
it in the php.ini file.
However, since that time, I have also been experimenting with the Horde
MySQL session handler. I have also experienced the same behavior.
However, I have been able to isolate the behavior a little more.
I don't know whether it would be construed as a bug or just undesirable
behavior which is understandable.
Installed Software
------------------
* RHEL5 RPM Installations
Apache 2.2
PHP 5.1.6
MySQL 5.0.45
* Horde Groupware Webmail edition (version 1.2.3)
Configured to use Horde MySQL session handler
Configuration
-------------
* Database => MySQL
* Authentication => Imp
* Session Handler => Horde MySQL Session Handler
Steps (run from a Linux desktop)
-----
1. Connect to Webmail and successfully authenticate.
2. Let the session remain idle gc_maxlifetime and have garbage collection
take place. (So the session ID associated with Step #1 is removed from
the horde_sessionhandler table).
3. Open another browser window, running on the SAME desktop, and log in
using the SAME login.
4. Now click on the "Logout" button associated with the idle session
established in Step #1. The browser will return a page stating
"We cannot verify that this request was really sent by you. It
could be a malicious request. If you intended to perform this
action, you can retry it now."
5. If instead, you click on any other button, things continue as normal,
but I think that it is operating off of the new session ID (and
cookie) associated with the session established in Step #3.
If I perform Step #3 from the SAME desktop and use a DIFFERENT login from
that which was used in Step #1, the logout and all other operations work,
meaning that the session (from Step #1) is automatically logged out.
If I perform Step #3 from a different desktop and use the SAME login as in
Step #1, the logout and all other operations also work.
Does this make sense? I can try to further explain, if necessary.
Please note: I have not gone back to my Memcache configuration to verify
if the pattern that I have found with MySQL also applies to
the Memcache scenario that I documented before.
More information about the bugs
mailing list