Koozali.org formerly Contribs.org

Pydio not logging out

Pydio not logging out
« on: February 28, 2014, 12:11:17 PM »
Sme 8 with pydio 5.2.2-1.el5.fws + smeserver-pydio 0.2.9-1.el5.fws. - Acces via Firefox 27 or IE 11, both on Windows 8/64 and Firefox 27 on Centos 5.9/64
When I log out, instead being redirected to the main login page, I go back to the previously logged in pages where I can still access files.

Nicola
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline Daniel B.

  • *
  • 1,690
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #1 on: February 28, 2014, 01:40:44 PM »
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect:

Code: [Select]
db configuration setprop pydio LogoutUrl http://sme.domain.tld/disconnected.html
signal-event webapps-update

Regards, Daniel
C'est la fin du monde !!! :lol:

Re: Pydio not logging out
« Reply #2 on: November 20, 2014, 08:41:47 AM »
Now testing for a production environment, I'm not able to have the logout url redirection working.
This is my db configuration:
Quote
[root@sme8-pdc ~]# db configuration show pydio
pydio=webapp
    DbName=pydio
    DbPassword=q4xlDF051RX1jt4Sa9+lmh4ugReETRkHwkixeOVOYNN+2ustT2JwLrrS2iAvEabLHnW0HrVnQJL9
    DbUser=pydio
    LogoutUrl=https://www.google.it
    access=private
    status=enabled

Nicola
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline Stefano

  • *
  • 10,779
  • Skype account: maghissimo
    • Smeserver italian community
Re: Pydio not logging out
« Reply #3 on: November 20, 2014, 09:44:21 AM »
if something doesn't work as expected out-of-the-box, please raise a bug :-)
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia

Re: Pydio not logging out
« Reply #4 on: November 20, 2014, 10:18:34 AM »
Maybe it's only a db variable to be configured in some way . . . .

Nicola
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline Stefano

  • *
  • 10,779
  • Skype account: maghissimo
    • Smeserver italian community
Re: Pydio not logging out
« Reply #5 on: November 20, 2014, 10:20:51 AM »
Nicola, Daniel told you that setting LogoutUrl and invoking webapps-update event should do the trick.. if it doesn't, something isn't working properly..
usuallly I call it "bug", hence -> bugzilla..

TIA
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia

Re: Pydio not logging out
« Reply #6 on: November 20, 2014, 04:31:53 PM »
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect:

However, when you do that, and they then go back to the pydio URL, they will still be able to access files. As you say, with http basic authentication, the only way to remove the login credentials from the browser is to close the browser.

Perhaps someone should converty smeserver-pydio to use ticket based authentication, as used in server-manager.

Re: Pydio not logging out
« Reply #7 on: November 20, 2014, 06:58:20 PM »
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect...

Does it make any sense to have a 'disconnect' button on something using Basic auth?

Offline Daniel B.

  • *
  • 1,690
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #8 on: November 20, 2014, 07:02:40 PM »
It makes sens in some situations: for example, I'm using LemonLDAP::NG to protect my web apps, including Pydio. It's a cookie based SSO solution but emulate basic auth from the app POV. It can catch any URL and redirect users where I want. I'm using this feature to catch the classic logout link of every protected app and redirect them to the main portal. On a standard SME, as it's using pure basic auth, it doesn't make a lot of sense, but removing it would require patching Pydio itself, which I'd rather avoid
C'est la fin du monde !!! :lol:

Re: Pydio not logging out
« Reply #9 on: April 04, 2016, 10:05:23 AM »
Hi,
This is quite an old thread so I am hoping that there was a fix for this issue.
I am trying to set up my first SME Server.  I have the same problems that are described in this thread. It looks like the users weren't given any assistance.

The problem:
user1 accesses smeserver/pydio for their shared directories, however they cannot log out. When user2 on a different machine tries to access Pydio they are actually shown the same screen that user1 cannot log out from!

Obviously this is quite a serious security issue and renders the server unusable for file and directory sharing.

Can anyone point me in the right direction for a solution?

Thanks,
Peter
smeserver 9.1

Offline Daniel B.

  • *
  • 1,690
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #10 on: April 04, 2016, 10:10:46 AM »
The problem:
user1 accesses smeserver/pydio for their shared directories, however they cannot log out. When user2 on a different machine tries to access Pydio they are actually shown the same screen that user1 cannot log out from!
Absolutely not (or this would indeed be a big security concern). The session is linked to the browser. There's no way you can get the previous session on a different machine. When using basic auth, there's only one way to end the session: close the browser. The disconnect button which doesn't work was just redirecting the user to an arbitrary page. It had no security purpose.
C'est la fin du monde !!! :lol:

Re: Pydio not logging out
« Reply #11 on: April 04, 2016, 10:17:03 AM »
Hi Daniel,
Thanks for the speedy reply.
I will check my testing and try again but I am sure that is what I saw. I am using Virtualbox for my test server and using different Vmachines and browsers to test.

You mention basic authentication being an issue. Does this mean we can use a better form of authentication that ensures a users can log out terminates the session and prevents the problem?
Thanks
Peter

Offline Daniel B.

  • *
  • 1,690
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #12 on: April 04, 2016, 10:19:14 AM »
You mention basic authentication being an issue. Does this mean we can use a better form of authentication that ensures a users can log out terminates the session and prevents the problem?

I don't consider this as an issue, it's the way it works. It's not a problem as long as you are aware of it. There are other ways to auth (against LDAP for example), but it's a lot harder to configure, because you'll have to do it by hand
C'est la fin du monde !!! :lol:

Re: Pydio not logging out
« Reply #13 on: April 04, 2016, 10:26:49 AM »
Daniel,
With all due respect. That is your opinion.
The introduction states: 'Koozali SME Server is a complete, secure, stable and versatile'
If smeserver is designed for business use, security should be the first priority.
I think smeserver is a great solution with a strong community. I would like to believe I can get around this problem.
The majority of file sharing solutions would not be in business very long if they took the same view.

What do the other members say?

best wishes,
Peter

Offline Daniel B.

  • *
  • 1,690
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #14 on: April 04, 2016, 10:29:13 AM »
The introduction states: 'Koozali SME Server is a complete, secure, stable and versatile'
If smeserver is designed for business use, security should be the first priority.

And security is a top priority for me. I just don't consider basic auth a security issue, as long as you are aware that you must close your browser to end the session.
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,690
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #15 on: April 04, 2016, 10:32:07 AM »
I should add that if security is a concern to you, you should close your browser when you're done using it, not matter which auth mechanism is used.
C'est la fin du monde !!! :lol:

Re: Pydio not logging out
« Reply #16 on: April 04, 2016, 10:42:35 AM »
Quote
I should add that if security is a concern to you, you should close your browser when you're done using it, not matter which auth mechanism is used.

Just an idea as workaround: can we think to link the PYDIO close/logout button to a Security-Warning box offering to shutdown the browser ?
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline Daniel B.

  • *
  • 1,690
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #17 on: April 04, 2016, 10:44:06 AM »
You could use the LogoutURL for this. Unfortunately, LogoutURL doesn't work anymore. I need to check if the bug still exists in Pydio 6 branch
C'est la fin du monde !!! :lol:

Re: Pydio not logging out
« Reply #18 on: April 04, 2016, 05:10:21 PM »
The introduction states: 'Koozali SME Server is a complete, secure, stable and versatile'
If smeserver is designed for business use, security should be the first priority.

pydio is not part of SME server.

Re: Pydio not logging out
« Reply #19 on: May 05, 2016, 01:07:29 PM »
Would it be possible to configure Pydio to use SME Server's LDAP instead of basic authentication? I had a go at it, and I could get it to recognise a username, but couldn't actually login with it.
LemonLDAP-NG isn't really ideal for my situation - client doesn't have a wildcard SSL certificate, so I don't want to use virtualhosts and subdomains, just access it as domain.com/pydio.

Also, is the desktop/mobile app supported? I tried the desktop app and got "Server not found (404), is it up and has it Pydio installed?"

I'm happy to spend more time fiddling with it (I'm relatively experienced with SME Server), but won't bother if there's any reason why it's not possible.

Offline Jean-Philippe Pialasse

  • *
  • 1,201
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Pydio not logging out
« Reply #20 on: May 06, 2016, 12:28:47 PM »
you should use let's encrypt to get a free wildcard certificate.


I think the desktop app is only supported by the v6 version of pydio. An update of the contribs would be necessary, but need some work to adapt it to SME to use its user db.

As Daniel, Charlie and I use most of our spare time for SME 10 , we would be happy to assist somebody to do the migration process to pydio 6 and then make an rpm of it, but we do not have the time to do all the process.


I can however confirm that the ios and android apps work with pydio v5 currently available on SME.
« Last Edit: May 06, 2016, 12:33:03 PM by Jean-Philippe Pialasse »

Re: Pydio not logging out
« Reply #21 on: May 08, 2016, 09:52:08 AM »
Thanks Jean-Philippe. I hadn't seen Let's Encrypt before, I'll check it out.

I'll have a go at installing v6 and see how I go.

Offline DanB35

  • ****
  • 764
    • http://www.familybrown.org
Re: Pydio not logging out
« Reply #22 on: May 08, 2016, 12:34:38 PM »
you should use let's encrypt to get a free wildcard certificate.
Let's Encrypt doesn't do wildcard certs, but they'll put as many hostnames as you want (up to 100) on a single cert.  See the wiki at https://wiki.contribs.org/Letsencrypt for instructions; I think that letsencrypt.sh is a better path for SME than using the official client at this point.
......

Re: Pydio not logging out
« Reply #23 on: May 10, 2016, 01:06:03 PM »
I've installed v6.0.7 in an iBay and appear to have most of the functionality working (although I haven't thoroughly tested it yet).
I mostly followed the instructions at https://wiki.contribs.org/Pydio with a few minor changes:

PHPBaseDir=/home/e-smith/files/ibays/<pydio_ibay>/:/tmp/:/etc/ (I had to do this to get the ldap authentication working properly - not sure if there's a better way)
I entered the ibay options individually (copying and pasting from that page didn't work)

Then I setup Pydio to use LDAP:
LDAP URL: localhost
Protocol: Standard (ldap)
LDAP Port: 389
People DN: ou=Users,dc=clientdomain,dc=com
LDAP Server Page Size: 500
LDAP Filter: objectClass=person
Groups DN: ou=Groups,dc=clientdomain,dc=com
LDAP Groups Filter: objectClass=posixGroup
Group Attribute: displayName
Fake Member From: memberUid
Fake MemberOf value of Member/MemberUID Attribute of Group: No (Use CN, not DN)
LDAP Attribute: memberOf
Mapping Type: Role Id

Now I can create a workspace using SMB as follows:
Host: localhost
URI: <share name>
Session Credentials: Yes
Recycle Bin Folder: Recycle Bin
alias: <share name>

I haven't got as far as creating the workspace automatically when signal-event share-create (etc) are called. Looks like I'd need to enter the data into ajxp_repo and ajxp_repo_options in the database, but I'm not sure how the uuid is generated.

It's been a decade since I've built an RPM, so I'm probably not going to be much help packaging this up for others, but I'll do what I can to help if someone else is able to.