Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#284 index.php and login.php should check for active session

closed-fixed
nobody
None
5
2013-12-02
2013-01-22
Z0l0ft
No

When entering:
https://postfixurl/
https://postfixurl/index.php
https://postfixurl/login.php
one should be redirected to https://postfixurl/main.php if there is a valid administrator session.

As it is now one can easily be tricked into believing one is logged out when entering root page or login page.

Related

Bugs: #284

Discussion

1 2 > >> (Page 1 of 2)
  • Z0l0ft
    Z0l0ft
    2013-01-22

    Probable patch

     
    Attachments
  • IMHO it would be better / more secure to automatically logout the admin if login.php is called again. (Any objections?)

     
  • GingerDog
    GingerDog
    2013-01-27

    Make it so ...

    David.

    On 27 Jan 2013, at 18:30, Christian Boltz christian_boltz@users.sf.net wrote:

    IMHO it would be better / more secure to automatically logout the admin if login.php is called again. (Any objections?)

    [bugs:#284] index.php and login.php should check for active session

    Status: open
    Created: Tue Jan 22, 2013 07:24 PM UTC by Z0l0ft
    Last Updated: Wed Jan 23, 2013 12:47 PM UTC
    Owner: nobody

    When entering:
    https://postfixurl/
    https://postfixurl/index.php
    https://postfixurl/login.php
    one should be redirected to https://postfixurl/main.php if there is a valid administrator session.

    As it is now one can easily be tricked into believing one is logged out when entering root page or login page.

     

    Related

    Bugs: #284

    • status: open --> closed-fixed
    • Group: --> SVN_(please_specify_revision!)
     
  • Fixed in SVN trunk r1568 - requesting login.php now means you'll be logged out.

    r1569 contains some cleanup - I deleted logout.php and now use login.php to logout ;-)

     
  • after this change i cannot login anymore...

    Best Regards,

    Andrea Cervesato

    Phone: +39.392.23.80.611
    Mail: andrea.cervesato@gmail.com


    This email and its attachments might be confidential and are only for use
    of intended recipient. If you are not the intended recipient, please notify
    us immediately by sending back the email and delete it from your machine.
    You are not allowed to disseminate nor to copy the content of the email if
    you are not the intended recipient.

    2013/11/11 Christian Boltz christian_boltz@users.sf.net

    Fixed in SVN trunk r1568 - requesting login.php now means you'll be logged
    out.

    r1569 contains some cleanup - I deleted logout.php and now use login.php
    to logout ;-)


    Status: closed-fixed
    Created: Tue Jan 22, 2013 07:24 PM UTC by Z0l0ft
    Last Updated: Sun Jan 27, 2013 06:30 PM UTC
    Owner: nobody

    When entering:
    https://postfixurl/
    https://postfixurl/index.php
    https://postfixurl/login.php
    one should be redirected to https://postfixurl/main.php if there is a
    valid administrator session.

    As it is now one can easily be tricked into believing one is logged out
    when entering root page or login page.


    Sent from sourceforge.net because
    postfixadmin-tracker@lists.sourceforge.net is subscribed to
    https://sourceforge.net/p/postfixadmin/bugs/

    To unsubscribe from further messages, a project admin can change settings
    at https://sourceforge.net/p/postfixadmin/admin/bugs/options. Or, if this
    is a mailing list, you can unsubscribe from the mailing list.


    November Webinars for C, C++, Fortran Developers
    Accelerate application performance with scalable programming models.
    Explore
    techniques for threading, error checking, porting, and tuning. Get the most
    from the latest Intel processors and coprocessors. See abstracts and
    register
    http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk


    Postfixadmin-tracker mailing list
    Postfixadmin-tracker@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/postfixadmin-tracker

     
  • Andrea Cervesato wrote (via reply to the postfixadmin-tracker mailinglist, which is in theory read-only ;-)

    after this change i cannot login anymore...

    I tested this change before commiting it, so I'm slightly ;-) surprised to hear that.

    First, can you make sure it's really this change that breaks login for you?
    To do this, open common.php in an editor and comment out the 3 lines after
    if (defined('POSTFIXADMIN_LOGOUT')) {

    It should look like this:
    if (defined('POSTFIXADMIN_LOGOUT')) {
    # session_unset();
    # session_destroy();
    # session_start();
    }

    Then test if login works again. If it does, remove the # signs again line by line (in various combinations with one or two lines commented out) until it's broken again. I'd be interested which commands give you a working login and which of those also a working logout.

    You an also try to add session_regenerate_id() after session_start() - I'm not sure if it helps, but it's worth testing.

     
    • status: closed-fixed --> open
     
  • Andrea, any news on your login problem?

     
    • Uh thanks for your interest, it was a configuration problem on my
      php/apache/loadbalanced mysql session.
      Really hard to detect.
      Sorry for the false signalation!

      Il giorno domenica 1 dicembre 2013, Christian Boltz ha scritto:

      Andrea, any news on your login problem?

      Status: open
      Created: Tue Jan 22, 2013 07:24 PM UTC by Z0l0ft
      Last Updated: Mon Nov 11, 2013 09:48 PM UTC
      Owner: nobody

      When entering:
      https://postfixurl/
      https://postfixurl/index.php
      https://postfixurl/login.php
      one should be redirected to https://postfixurl/main.php if there is a
      valid administrator session.

      As it is now one can easily be tricked into believing one is logged out
      when entering root page or login page.


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/postfixadmin/bugs/284/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

      --
      Best Regards,

      Andrea Cervesato

      Phone: +39.392.23.80.611
      Mail: andrea.cervesato@gmail.com


      This email and its attachments might be confidential and are only for use
      of intended recipient. If you are not the intended recipient, please notify
      us immediately by sending back the email and delete it from your machine.
      You are not allowed to disseminate nor to copy the content of the email if
      you are not the intended recipient.

       

      Related

      Bugs: #284

1 2 > >> (Page 1 of 2)