SOLVED! » Edit #3 (12-05-2020): Now logout is 100% perfect on
v2.4 Alpha 8.
» Edit #2 (09-05-2020): This was almost fixed by Rejetto on
v2.4 Alpha 5.
» Edit #1 (07-05-2020): I had to edit the title (
Confirmed bug: HFS doesn't discard previous auth sessions), because it seems some people have not understood it. Like the title says: HFS doesn't discard the 'session ID' of a authenticated user, when he logouts using a form-based login (we are talking about the 'logout' function at server level, and to reproduce the bug, the user must not use the native login function of the browser).
@
Message to Rejetto, Mars, SilentPliz or any other Delphi/Pascal programmer:• Steps to reproduce this possible bug:1) Use
default 2.3's template along with
this form-based login (diff-template).
2) Create a user and have some shared folders protected with a password.
3) Open your browser and use the form-based login to authenticate (do NOT enter credentials on the browser's internal popup login, hit cancel on that popup window).
4) Open several password-protected folders, in several browser tabs, and navigate thought those sub-folders if you want.
5) Click on the 'Logout' button, change to another tab, and navigate on some password-protected resource (you will be automatically logged in again!).
» Why this is a HFS bug and not a fault in the template?...Please follow the next steps and you will find how it SHOULD work:
A) Follow steps 1 to 5, but after clicking on the logout, temporary close HFS.
B) Open HFS again, and now try to navigate on some password-protected resource (you will NOT be automatically logged in!). Yay!
This demonstrates that HFS is not discarding (in his memory) the association between some previously logged in USER and the session ID (SID) he used.
- You may say: but this could be solved on the client side by generating a new 'session ID' cookie. You are right, but if the user had several tabs open (or if he goes back in the browser history), he will be automatically logged in back again, and this is unwanted (and insecure).
- What this means?: This means that when this bug is fixed, no matter if you go back in your browser, once you logout you can't access any password protected resource anymore (no matter if you had multiple tabs open).
If you have any questions or difficulties on reproducing this, please ask me. This thread is open to anyone, so, don't be afraid to leave your question...
Cheers,
Leo.-