[Tickets #7931] Re: Left Logout button throws "malicious request"

bugs at horde.org bugs at horde.org
Thu Jun 11 15:17:07 UTC 2009


Ticket URL: http://bugs.horde.org/ticket/7931
  Ticket             | 7931
  Updated By         | bhalsema at purdue.edu
  Summary            | Left Logout button throws "malicious request"
  Queue              | Horde Base
  Version            | 3.3.3
  Type               | Bug
  State              | Feedback
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             | Horde Developers

bhalsema at purdue.edu (2009-06-11 11:17) wrote:

At the time that I posted my addition to this bug report, the answer to
Jan's question was "yes".  I was using the Memcache Session Handler (not
Horde Memcache Session Handler) which was through the specification of
it in the php.ini file.

However, since that time, I have also been experimenting with the Horde
MySQL session handler.  I have also experienced the same behavior.
However, I have been able to isolate the behavior a little more.

I don't know whether it would be construed as a bug or just undesirable
behavior which is understandable.

Installed Software

* RHEL5 RPM Installations
   Apache 2.2
   PHP 5.1.6
   MySQL 5.0.45

* Horde Groupware Webmail edition (version 1.2.3)
   Configured to use Horde MySQL session handler

* Database => MySQL
* Authentication => Imp
* Session Handler => Horde MySQL Session Handler

Steps (run from a Linux desktop)
1. Connect to Webmail and successfully authenticate.

2. Let the session remain idle gc_maxlifetime and have garbage collection
    take place.  (So the session ID associated with Step #1 is removed from
    the horde_sessionhandler table).

3. Open another browser window, running on the SAME desktop, and log in
    using the SAME login.

4. Now click on the "Logout" button associated with the idle session
    established in Step #1.  The browser will return a page stating

       "We cannot verify that this request was really sent by you. It
        could be a malicious request. If you intended to perform this
        action, you can retry it now."

5. If instead, you click on any other button, things continue as normal,
    but I think that it is operating off of the new session ID (and
    cookie) associated with the session established in Step #3.

If I perform Step #3 from the SAME desktop and use a DIFFERENT login from
that which was used in Step #1, the logout and all other operations work,
meaning that the session (from Step #1) is automatically logged out.

If I perform Step #3 from a different desktop and use the SAME login as in
Step #1, the logout and all other operations also work.

Does this make sense?  I can try to further explain, if necessary.

Please note:  I have not gone back to my Memcache configuration to verify
               if the pattern that I have found with MySQL also applies to
               the Memcache scenario that I documented before.

More information about the bugs mailing list