[Twisted-web] /__logout__ doesn't expire the session

Tommi Virtanen tv at twistedmatrix.com
Thu Jan 13 13:35:27 MST 2005


Andrea Arcangeli wrote:
> Because of subject, any data structure linked to the user is still
> visible to the webserver if the user explicitly types /__logout__ in the
> URL. That doesn't seem very safe behaviour.
> 
> The userdb/ in the example directory does this to workaround it:
> 
>     def logout(self, request):
>         request.getSession().expire()
>         request.setComponent(iformless.IRedirectAfterPost, "/"+guard.LOGOUT_AVATAR)
> 
> but that workaround is insecure, since the user can type __logout__ by
> himself (if he knows the nevow code at least) and logout without
> clearing the session.
> 
> This problem would have caused a (very minor) security issue to me, but
> it might have more serious implications in other apps.
> 
> So I'd suggest to expire the session automatically in the __logout__
> avatar so that a new fresh (anonymous) session will have to be allocated
> after logout.

As I understand it, that removes "too much state"; that is, you only
asked to logout from this specific realm, where the same person could
be logged into multiple Realms at the same time. Or something like that.

When your Realm returns the 3-tuple

	(inevow.IResource, someResource, logout)

that logout callback is called when you call guard's .logout() or visit
__logout__ (or when the session expires). Clean up the state there. For
instance, if your app-specific state is in
session.setComponent(IMyAppState, state), and thus accessed
with IMyAppState(inevow.ISession(ctx)), you can clean that with
session.unsetComponent(IMyAppState).

Things could be cleaner. That's mostly a matter of good docstrings,
gentle API evolution, and examples.

Things could be simpler. But the design inherits directly from
twisted.cred, and that is up to glyph to defend (most like on the
main twisted mailing list).



More information about the Twisted-web mailing list