Bug Report #1280
Auth ORM driver should clear autologin tokens on logout for security
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Urgent | Due date: | ||
| Assignee: |  Kiall Mac Innes |
% Done: | 100% |
|
| Category: | Modules:Auth | |||
| Target version: | 2.3.3 | |||
| Resolution: | Points: |
Description
The ORM driver only clears the autologin cookie on logout, but does not delete existing auth tokens.
Thus it is perfectly possible for someone malicious to reissue the cookie and login again without supplying credentials.
There are two ways to go with this, though:
"Logout" could mean "I do not want people to be able to log in to this account without supplying credentials."
It could also mean "I do not want people to be able to log in to this account from this computer/browser", so that autologin will still work on other places the user may have logged in.
The attached patch does the first if $destroy is set, otherwise the second.
History
Updated by Kiall Mac Innes over 2 years ago
- Status changed from New to Assigned
- Assignee set to Kiall Mac Innes
The supplied patch seems to be "abusing" the $destory param IMO by using it for an additional purpose.
$destory is intended for destroying the session, not for logging out of all pcs...
IMO, we should always delete the specific token from the database, and have an additional param to logout all pcs.
Updated by Kiall Mac Innes over 2 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Applied in changeset r4331.