security lack with http_authtentication

[Lars]

Hi,

when the http_authentication plugin is enabled and you log out you can just reenter the roundcube url and are automatically logged in as the previous user.

I'm not an http expert, but there should the http authentication be expired/killed or this behaviour should be mentioned some where.

sessions:
log in with http_auth.. enabled as mustermann
log out
log in as someone else (musterfrau) and you're logged in as mustermann (because aof the plugin)

Thanks
Lars

[thomasb]

It's the nature of browsers that HTTP authentication headers are automatically sent in subsequent requests until the browser is closed. Please note that this is an experimental plugin which only re-uses an existing http auth but does not create it. Thus, wherever this authentication was created, this is the place to reset it again. Our plugin can therefore just define a redirect URL where the user is sent to after logging out of Roundcube.

[balert]

you could just request sth like ​http://reset:reset@<roundcoube-url>?Logout=1 when logout is triggered, to just reset the currently used username and password to both "reset". the browser then would "forget" or better overwrite the actual user credentials.

[bilbo]

It seems to add myself to CC, I have to write a valid comment. Please consider fixing the trac, so that if someone only wants to add himself to cc: for the bug, it is not necessary to actually write any comment.

Sometimes this works, but sometimes I get message like this:

Submission rejected as potential spam (Akismet says content is spam, BlogSpam? says content is spam (Too few words))

[alec]

Fixed in r5093/svn. PHP_AUTH_* data isn't used when user is provided.

[thomasb]

Added logout redirect option in r5121/svn

The page redirected to can then reset HTTP auth if desired using hacks as suggested here: ​http://stackoverflow.com/questions/31326/is-there-a-browser-equivalent-to-ies-clearauthenticationcache