You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Antonio Sanso <as...@adobe.com> on 2012/09/21 14:59:54 UTC
LogoutServlet
Hi *,
by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) and I have noticed that it does support out of the box GET and POST methods and this is also not configurable.
As you know it would be better that the log out would work only for POST.
There are several example in the wild showing why... :)
What do you think to do it at least configurable with POST method by default ?
Regards
Antonio
Re: LogoutServlet
Posted by Justin Edelson <ju...@justinedelson.com>.
Message below got bounced back to me...
On Fri, Oct 5, 2012 at 3:49 PM, Justin Edelson <ju...@justinedelson.com> wrote:
>
> Hi Michael,
>
> Thanks for bringing this back up. I see the thread died off without
> resolution (probably my fault).
>
> On Fri, Oct 5, 2012 at 1:36 PM, Michael Marth <mm...@adobe.com> wrote:
>>
>> Hi Justin,
>>
>> > This is obviously not backwards compatible. I'm unclear on the use case
>> > for
>> > configurability as logout is idempotent.
>>
>>
>> judging from the respective sending times your mail might have been sent
>> before you read Antonio's explanation about the <img> attack.
>
>
> Indeed, although I think the author of
> http://duruk.net/some-web-development-tips/ and I may have different
> definitions of impotency :)
>
> Regardless, I'm happy to see this be configurable. Created
> https://issues.apache.org/jira/browse/SLING-2615 for it.
>
> I'm still unsure about changing the default, but I'll change my vote to a
> -0 on that :)
>
> Justin
>
>>
>>
>> I think if Sling itself does not change the defaults at least Sling users
>> should be able to do so.
>> (+1 on making this configurable)
>>
>>
>> Personally, I think security problems allow for API changes (at least of
>> this scope), so I would even change the default in Sling.
>>
>>
>> Michael
>
>
Re: LogoutServlet
Posted by Michael Marth <mm...@adobe.com>.
Hi Justin,
> This is obviously not backwards compatible. I'm unclear on the use case for
> configurability as logout is idempotent.
judging from the respective sending times your mail might have been sent before you read Antonio's explanation about the <img> attack.
I think if Sling itself does not change the defaults at least Sling users should be able to do so.
(+1 on making this configurable)
Personally, I think security problems allow for API changes (at least of this scope), so I would even change the default in Sling.
Michael
Re: LogoutServlet
Posted by Justin Edelson <ju...@justinedelson.com>.
Hi Antonio,
On Fri, Sep 21, 2012 at 8:59 AM, Antonio Sanso <as...@adobe.com> wrote:
> Hi *,
>
> by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl)
> and I have noticed that it does support out of the box GET and POST methods
> and this is also not configurable.
> As you know it would be better that the log out would work only for POST.
> There are several example in the wild showing why... :)
>
> What do you think to do it at least configurable with POST method by
> default ?
>
-0 to making this configurable
-1 to making only POST supported by default
This is obviously not backwards compatible. I'm unclear on the use case for
configurability as logout is idempotent.
Justin
> Regards
>
> Antonio
>
Re: LogoutServlet
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi Antonio,
On Fri, Sep 21, 2012 at 2:59 PM, Antonio Sanso <as...@adobe.com> wrote:
> ...What do you think to do it at least configurable with POST method by default ?...
+1
-Bertrand
Re: LogoutServlet
Posted by Antonio Sanso <as...@adobe.com>.
Hi Felix
On Sep 21, 2012, at 4:22 PM, Felix Meschberger wrote:
Hi,
Am 21.09.2012 um 14:59 schrieb Antonio Sanso:
Hi *,
by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) and I have noticed that it does support out of the box GET and POST methods and this is also not configurable.
As you know it would be better that the log out would work only for POST.
There are several example in the wild showing why... :)
Can you provide links and risks ? Thanks.
one simple one:
For example, your sign-out should only work as a POST request so that someone cannot make your users sign out by just including an <img> tag in their forum signature.
taken from [0].
I would not call the risks but annoyance and all the other example are kind of similar...
Regards
Antonio
[0] http://duruk.net/some-web-development-tips/
(for my testing GET /system/sling/logout.html was really helpful because I can use the browser. But the same holds for GET /content/page?action=delete which we do not have any longer for obvious reasons ;-) )
What do you think to do it at least configurable with POST method by default ?
+1 given some links.
Regards
Felix
Re: LogoutServlet
Posted by Felix Meschberger <fm...@adobe.com>.
Hi,
Am 21.09.2012 um 14:59 schrieb Antonio Sanso:
> Hi *,
>
> by chance I had to give a look at the LogoutServlet (o.a.s.auth.core.impl) and I have noticed that it does support out of the box GET and POST methods and this is also not configurable.
> As you know it would be better that the log out would work only for POST.
> There are several example in the wild showing why... :)
Can you provide links and risks ? Thanks.
(for my testing GET /system/sling/logout.html was really helpful because I can use the browser. But the same holds for GET /content/page?action=delete which we do not have any longer for obvious reasons ;-) )
>
> What do you think to do it at least configurable with POST method by default ?
+1 given some links.
Regards
Felix