[Twisted-web] /__logout__ doesn't expire the session

Andrea Arcangeli andrea at cpushare.com
Wed Jan 12 19:21:28 MST 2005


Because of subject, any data structure linked to the user is still
visible to the webserver if the user explicitly types /__logout__ in the
URL. That doesn't seem very safe behaviour.

The userdb/ in the example directory does this to workaround it:

    def logout(self, request):
        request.getSession().expire()
        request.setComponent(iformless.IRedirectAfterPost, "/"+guard.LOGOUT_AVATAR)

but that workaround is insecure, since the user can type __logout__ by
himself (if he knows the nevow code at least) and logout without
clearing the session.

This problem would have caused a (very minor) security issue to me, but
it might have more serious implications in other apps.

So I'd suggest to expire the session automatically in the __logout__
avatar so that a new fresh (anonymous) session will have to be allocated
after logout.

The last fix I posted isn't applied yet, so I append it again.

My debug code now runs as I expected (i.e. the session is regenerated
after logout and I don't need to expire it by hand anymore insecurely
like userdb does).

Please apply thanks!

Index: nevow/rend.py
===================================================================
--- nevow/rend.py	(revision 1069)
+++ nevow/rend.py	(working copy)
@@ -127,7 +127,8 @@
             ctx.remember(request, inevow.IRequest)
             cf = iformless.IConfigurableFactory(self)
             c = cf.locateConfigurable(ctx, configurableName)
-            return self.webFormPost(request, self, c, ctx, bindingName, request.args)
+            if c:
+                return self.webFormPost(request, self, c, ctx, bindingName, request.args)
         return NotFound
 
 
Index: nevow/guard.py
===================================================================
--- nevow/guard.py	(revision 1069)
+++ nevow/guard.py	(working copy)
@@ -348,7 +348,7 @@
         if segments and segments[0] == LOGIN_AVATAR:
             return self.login(request, s, self.getCredentials(request), segments[1:])
         elif segments and segments[0] == LOGOUT_AVATAR:
-            s.portalLogout(self.portal)
+            s.expire()
             return urlToChild(request, *segments[1:]), ()
         else:
             r = s.resourceForPortal(self.portal)



More information about the Twisted-web mailing list