#277 Logout Security Issue

CVS
closed-fixed
Login (18)
5
2008-06-16
2006-05-04
V. Layne
No

If the user logged in with the "Use these credentials
for all servers" option selected, then the "logout"
button, essentially... doesn't. Well, yes, technically
it will log you out of each of the dbs you're logged in
to, but then if you select any db, it will
automatically log you back in. There is *no functional
difference* between being logged out after selecting
"use these credentials" and being logged in.

Quitting the browser actually does the right thing, but
closing the tab or window does not.

This is a security issue, for the simple reason that
the user is lead to believe they are "logged out" (and
will stay logged out), when in reality anyone who uses
that browser window has their credentials!

Please make the logout button DTRT.

Discussion

  • Robert Treat

    Robert Treat - 2006-05-22

    Logged In: YES
    user_id=204589

    The only way to make this work the way you are asking would
    be have the logout button log you out of all of the servers
    and remove the credentials. Is that something people are
    comfortable with?

    In any case I do think it might be a good idea to add a
    warning to the "use these credentials" checkbox to make sure
    users understand that once they check that button, anyone
    who sits down at the browser window will be able to log in
    to any database that will accept those credentials without
    any further prompting of un/pw

     
  • Russell Smith

    Russell Smith - 2007-04-15
    • assigned_to: chriskl --> mr-russ
     
  • Russell Smith

    Russell Smith - 2007-04-15

    Logged In: YES
    user_id=361841
    Originator: NO

    I propose we go with option 1.

    Change the logout button to logout of shared, killing the shared credentials.

     
  • J.Guillaume (ioguix) de Rorthais

    • milestone: 544260 --> CVS
    • assigned_to: mr-russ --> ioguix
     
  • J.Guillaume (ioguix) de Rorthais

    Logged In: YES
    user_id=1489394
    Originator: NO

    Hello,

    Here a patch to fix that.

    As wanted, I drop shared credentials when unlog. Moreover, I added a javascript confirm box to explain that unlog will drop the shared credentials.

    I waiting for your feedback before commiting. Without any feedback, I will push this patch in next 4.2 to close this ticket.
    File Added: fix_1482098_logout_security.patch.gz

     
  • J.Guillaume (ioguix) de Rorthais

    Logged In: YES
    user_id=1489394
    Originator: NO

    Hello,

    As I told in february, this bug has been fixed in ppa 4.2.

    Let's close this ticket.

     
  • J.Guillaume (ioguix) de Rorthais

    • status: open --> closed-fixed
     

Log in to post a comment.