[Twisted-web] /__logout__ doesn't expire the session
Andrea Arcangeli
andrea at cpushare.com
Wed Jan 12 19:21:28 MST 2005
Because of subject, any data structure linked to the user is still
visible to the webserver if the user explicitly types /__logout__ in the
URL. That doesn't seem very safe behaviour.
The userdb/ in the example directory does this to workaround it:
def logout(self, request):
request.getSession().expire()
request.setComponent(iformless.IRedirectAfterPost, "/"+guard.LOGOUT_AVATAR)
but that workaround is insecure, since the user can type __logout__ by
himself (if he knows the nevow code at least) and logout without
clearing the session.
This problem would have caused a (very minor) security issue to me, but
it might have more serious implications in other apps.
So I'd suggest to expire the session automatically in the __logout__
avatar so that a new fresh (anonymous) session will have to be allocated
after logout.
The last fix I posted isn't applied yet, so I append it again.
My debug code now runs as I expected (i.e. the session is regenerated
after logout and I don't need to expire it by hand anymore insecurely
like userdb does).
Please apply thanks!
Index: nevow/rend.py
===================================================================
--- nevow/rend.py (revision 1069)
+++ nevow/rend.py (working copy)
@@ -127,7 +127,8 @@
ctx.remember(request, inevow.IRequest)
cf = iformless.IConfigurableFactory(self)
c = cf.locateConfigurable(ctx, configurableName)
- return self.webFormPost(request, self, c, ctx, bindingName, request.args)
+ if c:
+ return self.webFormPost(request, self, c, ctx, bindingName, request.args)
return NotFound
Index: nevow/guard.py
===================================================================
--- nevow/guard.py (revision 1069)
+++ nevow/guard.py (working copy)
@@ -348,7 +348,7 @@
if segments and segments[0] == LOGIN_AVATAR:
return self.login(request, s, self.getCredentials(request), segments[1:])
elif segments and segments[0] == LOGOUT_AVATAR:
- s.portalLogout(self.portal)
+ s.expire()
return urlToChild(request, *segments[1:]), ()
else:
r = s.resourceForPortal(self.portal)
More information about the Twisted-web
mailing list