Koozali.org: home of the SME Server

Pydio not logging out

Online nicolatiana

  • *
  • 721
  • +0/-0
Pydio not logging out
« on: February 28, 2014, 12:11:17 PM »
Sme 8 with pydio 5.2.2-1.el5.fws + smeserver-pydio 0.2.9-1.el5.fws. - Acces via Firefox 27 or IE 11, both on Windows 8/64 and Firefox 27 on Centos 5.9/64
When I log out, instead being redirected to the main login page, I go back to the previously logged in pages where I can still access files.

Nicola
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #1 on: February 28, 2014, 01:40:44 PM »
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect:

Code: [Select]
db configuration setprop pydio LogoutUrl http://sme.domain.tld/disconnected.html
signal-event webapps-update

Regards, Daniel
C'est la fin du monde !!! :lol:

Online nicolatiana

  • *
  • 721
  • +0/-0
Re: Pydio not logging out
« Reply #2 on: November 20, 2014, 08:41:47 AM »
Now testing for a production environment, I'm not able to have the logout url redirection working.
This is my db configuration:
Quote
[root@sme8-pdc ~]# db configuration show pydio
pydio=webapp
    DbName=pydio
    DbPassword=q4xlDF051RX1jt4Sa9+lmh4ugReETRkHwkixeOVOYNN+2ustT2JwLrrS2iAvEabLHnW0HrVnQJL9
    DbUser=pydio
    LogoutUrl=https://www.google.it
    access=private
    status=enabled

Nicola
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Pydio not logging out
« Reply #3 on: November 20, 2014, 09:44:21 AM »
if something doesn't work as expected out-of-the-box, please raise a bug :-)

Online nicolatiana

  • *
  • 721
  • +0/-0
Re: Pydio not logging out
« Reply #4 on: November 20, 2014, 10:18:34 AM »
Maybe it's only a db variable to be configured in some way . . . .

Nicola
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Pydio not logging out
« Reply #5 on: November 20, 2014, 10:20:51 AM »
Nicola, Daniel told you that setting LogoutUrl and invoking webapps-update event should do the trick.. if it doesn't, something isn't working properly..
usuallly I call it "bug", hence -> bugzilla..

TIA

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Pydio not logging out
« Reply #6 on: November 20, 2014, 04:31:53 PM »
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect:

However, when you do that, and they then go back to the pydio URL, they will still be able to access files. As you say, with http basic authentication, the only way to remove the login credentials from the browser is to close the browser.

Perhaps someone should converty smeserver-pydio to use ticket based authentication, as used in server-manager.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Pydio not logging out
« Reply #7 on: November 20, 2014, 06:58:20 PM »
That's expected, Pydio uses a basic HTTP auth which cannot close a session (closing the browser will terminate the session). What you can do is to redirect users to any page you want when they click on disconnect...

Does it make any sense to have a 'disconnect' button on something using Basic auth?

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #8 on: November 20, 2014, 07:02:40 PM »
It makes sens in some situations: for example, I'm using LemonLDAP::NG to protect my web apps, including Pydio. It's a cookie based SSO solution but emulate basic auth from the app POV. It can catch any URL and redirect users where I want. I'm using this feature to catch the classic logout link of every protected app and redirect them to the main portal. On a standard SME, as it's using pure basic auth, it doesn't make a lot of sense, but removing it would require patching Pydio itself, which I'd rather avoid
C'est la fin du monde !!! :lol:

Offline peterking

  • 3
  • +0/-0
Re: Pydio not logging out
« Reply #9 on: April 04, 2016, 10:05:23 AM »
Hi,
This is quite an old thread so I am hoping that there was a fix for this issue.
I am trying to set up my first SME Server.  I have the same problems that are described in this thread. It looks like the users weren't given any assistance.

The problem:
user1 accesses smeserver/pydio for their shared directories, however they cannot log out. When user2 on a different machine tries to access Pydio they are actually shown the same screen that user1 cannot log out from!

Obviously this is quite a serious security issue and renders the server unusable for file and directory sharing.

Can anyone point me in the right direction for a solution?

Thanks,
Peter
smeserver 9.1

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #10 on: April 04, 2016, 10:10:46 AM »
The problem:
user1 accesses smeserver/pydio for their shared directories, however they cannot log out. When user2 on a different machine tries to access Pydio they are actually shown the same screen that user1 cannot log out from!
Absolutely not (or this would indeed be a big security concern). The session is linked to the browser. There's no way you can get the previous session on a different machine. When using basic auth, there's only one way to end the session: close the browser. The disconnect button which doesn't work was just redirecting the user to an arbitrary page. It had no security purpose.
C'est la fin du monde !!! :lol:

Offline peterking

  • 3
  • +0/-0
Re: Pydio not logging out
« Reply #11 on: April 04, 2016, 10:17:03 AM »
Hi Daniel,
Thanks for the speedy reply.
I will check my testing and try again but I am sure that is what I saw. I am using Virtualbox for my test server and using different Vmachines and browsers to test.

You mention basic authentication being an issue. Does this mean we can use a better form of authentication that ensures a users can log out terminates the session and prevents the problem?
Thanks
Peter

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #12 on: April 04, 2016, 10:19:14 AM »
You mention basic authentication being an issue. Does this mean we can use a better form of authentication that ensures a users can log out terminates the session and prevents the problem?

I don't consider this as an issue, it's the way it works. It's not a problem as long as you are aware of it. There are other ways to auth (against LDAP for example), but it's a lot harder to configure, because you'll have to do it by hand
C'est la fin du monde !!! :lol:

Offline peterking

  • 3
  • +0/-0
Re: Pydio not logging out
« Reply #13 on: April 04, 2016, 10:26:49 AM »
Daniel,
With all due respect. That is your opinion.
The introduction states: 'Koozali SME Server is a complete, secure, stable and versatile'
If smeserver is designed for business use, security should be the first priority.
I think smeserver is a great solution with a strong community. I would like to believe I can get around this problem.
The majority of file sharing solutions would not be in business very long if they took the same view.

What do the other members say?

best wishes,
Peter

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Pydio not logging out
« Reply #14 on: April 04, 2016, 10:29:13 AM »
The introduction states: 'Koozali SME Server is a complete, secure, stable and versatile'
If smeserver is designed for business use, security should be the first priority.

And security is a top priority for me. I just don't consider basic auth a security issue, as long as you are aware that you must close your browser to end the session.
C'est la fin du monde !!! :lol: