Description

When you use the admin feature to switch to a different user, your own user account isn't logged out. This isn't really a problem unless some authentication methods expect to actually do something when you log out.

Currently, this isn't a problem since the cookies don't expire anyway. However, my work in progress patches make cookies expire when you log out by tagging each cookie with its own secret string stored in the wiki to avoid cookie stealing. With that, a superuser is still susceptible to cookie stealing when using the setuid functionality because the superuser cookie isn't cleared.

Steps to reproduce

1. Log in as a superuser
2. switch to a different user

Details

The problem comes from the fact that the userpreferences action simply uses auth.setSessionCookie() to create a new session for the target user. I think we should separate this by making the auth framework aware of the setuid functionality. That way, we can also allow a superuser to switch to a different user account again when they're done with the work of that user.

Another thing that this would fix is that with my current patch only 20 different cookies are allowed for each user. When a superuser switches to an account, one of those 20 is actually used up and possibly an old one expired.

Discussion

I have now completely reimplemented the select user functionality with the following patch series:

• http://johannes.sipsolutions.net/patches/moin-cookie-expiry.patch

  • Makes moin actually check cookie expiry

• http://johannes.sipsolutions.net/patches/moin-cookie-nonce.patch

  • Introduces a secret for each cookie a user has (up to 20 secrets) that are removed when the user logs out to avoid cookie stealing.

• http://johannes.sipsolutions.net/patches/moin-remove-cookie-secret.patch

  • Removes the now useless global cookie secret

• http://johannes.sipsolutions.net/patches/moin-move-cookie-parsing.patch

  • Moves cookie parsing to the common request code so different auth methods don't need to duplicate it.

• http://johannes.sipsolutions.net/patches/moin-session.patch

  • Introduces session state for logged in users as well as anonymous users (the latter is optional and not used currently)

• http://johannes.sipsolutions.net/patches/moin-fix-setuid.patch

  • Makes use of the session framework for setuid functionality, a user may setuid to others and then back to himself even if the target user has no superuser permissions.

Plan

• Priority:

• Assigned to: JohannesBerg

• Status: fixed in 1.6 (where it matters) with commit 1933:19e3af7cabcd

CategoryMoinMoinBugFixed