Reviewed: https://reviews.mahara.org/12187 Committed: https://git.mahara.org/mahara/mahara/commit/74f38088a23eaab04af6ac3019e1372582f49e15 Submitter: Gold ([email protected]) Branch: 21.04_STABLE
commit 74f38088a23eaab04af6ac3019e1372582f49e15 Author: Robert Lyon <[email protected]> Date: Wed Jun 2 14:26:55 2021 +1200 Security Bug 1930469: Forcing the authenticated user to be logged out If there is an error in webservice Change-Id: Ic827da3a385aa14f0a342aaf67b509efac154ad4 Signed-off-by: Robert Lyon <[email protected]> (cherry picked from commit 9e405b25c718bbfbb03e4d30b50cc5e71b34da48) (cherry picked from commit e85a2fedbbd3c825dc73cf903e641b9a117bd9e4) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1930469 Title: Need to kill web service authentication session at end of process Status in Mahara: Fix Released Status in Mahara 20.04 series: Fix Released Status in Mahara 20.10 series: Fix Released Status in Mahara 21.04 series: Fix Released Bug description: Currently when a token based websesrvice is called it authenticates the owner of the token on the Mahara end so that any functions called by the service can only be executed if the authenticated token owner can run those functions. One of the problems with the current setup is we don't then kill the session of this token owner when the webservice call is completed. This means if one hits a site with a crafted URL containing a valid token but no webservice function they will get an error message page, but if they then go to the home page of the site they will find they are logged in as the token owner. In the webservice_base_server class there is the run() method that goes through the steps to do a webservice call and the last part is calling $this->session_cleanup(); And in that method is nothing to actually handle the logging out of that session To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1930469/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
