[ADDED TRACKER] Cannot Logout if Frontend Login Disabled.

Locked
User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

[ADDED TRACKER] Cannot Logout if Frontend Login Disabled.

Post by RobS » Sun Jul 02, 2006 11:07 pm

I found an interesting bug today.  I logged into the frontend to test something, left the user logged in, and then later disabled frontend login via the backend by adjusting the global configuration option "Frontend Login" to "no".  This had the interesting side affect of making it impossible for the user who was logged in via the frontend to logout.  When you select the logout option, it says you cannot view this resource in typical unpublished component fashion.  I think this is bad behavior, when frontend login is disabled all the users should be automatically logged out or something to avoid this kind of behavior. 

Description:
If a user is logged into the frontend and while they are logged in frontend login is disabled in the backend they will not be able to logout.  It could lead to security issues due to a user thinking they are logged out but they are still logged in.

Reported on:
Joomla 1.0.10.

Classification:
Medium

Affected functions:
com_login related functions

Related files:
com_login/*

Steps to replicate:
Login to the frontend with a user.
Open a new window, login to the back with Super Admin, disable frontend login via global configuration
Go back to window with user logged into front end and try and logout.

Proposed fix(es):
Any users logged in via frontend when frontend login is disabled should be automatically logged out or separate the login/logout function and only make the login disabled when you disable the frontend login.

System info:
PHP built On: FreeBSD http://www.xxxxxx.com 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #3: Sun Jun 25 16:58:58 PDT 2006 [email protected]:/usr/obj/usr/src/sys/SMP i386
Database Version: 5.0.22-log
PHP Version: 5.1.4
Web Server: Apache/2.2.2 (FreeBSD) mod_fastcgi/2.4.2
WebServer to PHP interface: cgi-fcgi
Joomla! Version: Joomla! 1.0.10 Stable [ Sundown ] 26 June 2006 00:00 UTC
User Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418 (KHTML, like Gecko) Safari/417.9.3
Relevant PHP Settings:
Safe Mode: OFF
Open basedir: none
Display Errors: ON
Short Open Tags: OFF
File Uploads: ON
Magic Quotes: ON
Register Globals: OFF
Output Buffering: OFF
Session save path: /tmp
Session auto start: 0
XML enabled: Yes
Zlib enabled: Yes
Disabled Functions: none
WYSIWYG Editor: No WYSIWYG Editor
Configuration File:
Last edited by RobS on Thu Jul 06, 2006 8:47 pm, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

user deleted

Re: [ADDED TRACKER] Cannot Logout if Frontend Login Disabled.

Post by user deleted » Sat Oct 07, 2006 7:39 pm

http://forge.joomla.org/sf/go/artf5192?nav=1 closed as feature request. Also closing topic as known issue.


Locked

Return to “Known Issues - Archive”