LogoutServlet

[Antonio Sanso <as...@adobe.com>]

Hi *,

by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) and I have noticed that it does support out of the box GET and POST methods and this is also not configurable.
As you know it would be better that the log out would work only for POST.
There are several example in the wild showing why... :)

What do you think to do it at least configurable with POST method by default ?

Regards

Antonio

Re: LogoutServlet

[Justin Edelson <ju...@justinedelson.com>]

Message below got bounced back to me...

On Fri, Oct 5, 2012 at 3:49 PM, Justin Edelson <ju...@justinedelson.com> wrote:
>
> Hi Michael,
>
> Thanks for bringing this back up. I see the thread died off without
> resolution (probably my fault).
>
> On Fri, Oct 5, 2012 at 1:36 PM, Michael Marth <mm...@adobe.com> wrote:
>>
>> Hi Justin,
>>
>> > This is obviously not backwards compatible. I'm unclear on the use case
>> > for
>> > configurability as logout is idempotent.
>>
>>
>> judging from the respective sending times your mail might have been sent
>> before you read Antonio's explanation about the <img> attack.
>
>
> Indeed, although I think the author of
> http://duruk.net/some-web-development-tips/ and I may have different
> definitions of impotency :)
>
> Regardless, I'm happy to see this be configurable. Created
> https://issues.apache.org/jira/browse/SLING-2615 for it.
>
> I'm still unsure about changing the default, but I'll change my vote to a
> -0 on that :)
>
> Justin
>
>>
>>
>> I think if Sling itself does not change the defaults at least Sling users
>> should be able to do so.
>> (+1 on making this configurable)
>>
>>
>> Personally, I think security problems allow for API changes (at least of
>> this scope), so I would even change the default in Sling.
>>
>>
>> Michael
>
>

Re: LogoutServlet

[Michael Marth <mm...@adobe.com>]

Hi Justin,

> This is obviously not backwards compatible. I'm unclear on the use case for
> configurability as logout is idempotent.


judging from the respective sending times your mail might have been sent before you read Antonio's explanation about the <img> attack.

I think if Sling itself does not change the defaults at least Sling users should be able to do so.
(+1 on making this configurable)

Personally, I think security problems allow for API changes (at least of this scope), so I would even change the default in Sling.

Michael

Re: LogoutServlet

[Justin Edelson <ju...@justinedelson.com>]

Hi Antonio,

On Fri, Sep 21, 2012 at 8:59 AM, Antonio Sanso <as...@adobe.com> wrote:

> Hi *,
>
> by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl)
> and I have noticed that it does support out of the box GET and POST methods
> and this is also not configurable.
> As you know it would be better that the log out would work only for POST.
> There are several example in the wild showing why... :)
>
> What do you think to do it at least configurable with POST method by
> default ?
>

-0 to making this configurable
-1 to making only POST supported by default

This is obviously not backwards compatible. I'm unclear on the use case for
configurability as logout is idempotent.

Justin


> Regards
>
> Antonio
>

Re: LogoutServlet

[Bertrand Delacretaz <bd...@apache.org>]

Hi Antonio,

On Fri, Sep 21, 2012 at 2:59 PM, Antonio Sanso <as...@adobe.com> wrote:
> ...What do you think to do it at least configurable with POST method by default ?...

+1

-Bertrand

Re: LogoutServlet

[Antonio Sanso <as...@adobe.com>]

Hi Felix


On Sep 21, 2012, at 4:22 PM, Felix Meschberger wrote:

Hi,

Am 21.09.2012 um 14:59 schrieb Antonio Sanso:

Hi *,

by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) and I have noticed that it does support out of the box GET and POST methods and this is also not configurable.
As you know it would be better that the log out would work only for POST.
There are several example in the wild showing why... :)

Can you provide links and risks ? Thanks.

one simple one:

For example, your sign-out should only work as a POST request so that someone cannot make your users sign out by just including an <img> tag in their forum signature.

taken from [0].
I would not call the risks but annoyance and all the other example are kind of similar...

Regards

Antonio

[0] http://duruk.net/some-web-development-tips/



(for my testing GET /system/sling/logout.html was really helpful because I can use the browser. But the same holds for GET /content/page?action=delete which we do not have any longer for obvious reasons ;-) )


What do you think to do it at least configurable with POST method by default ?

+1 given some links.

Regards
Felix

Re: LogoutServlet

[Felix Meschberger <fm...@adobe.com>]

Hi,

Am 21.09.2012 um 14:59 schrieb Antonio Sanso:

> Hi *,
> 
> by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) and I have noticed that it does support out of the box GET and POST methods and this is also not configurable.
> As you know it would be better that the log out would work only for POST.
> There are several example in the wild showing why... :)

Can you provide links and risks ? Thanks.

(for my testing GET /system/sling/logout.html was really helpful because I can use the browser. But the same holds for GET /content/page?action=delete which we do not have any longer for obvious reasons ;-) )

> 
> What do you think to do it at least configurable with POST method by default ?

+1 given some links.

Regards
Felix