Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic logout #2288

Closed
squromiv opened this issue Mar 21, 2019 · 9 comments
Closed

Automatic logout #2288

squromiv opened this issue Mar 21, 2019 · 9 comments
Labels
Security 🛡️
Milestone
1.14.0

Comments

@squromiv
Copy link

Is there any way to login account2, opening address FreshRSS/p/i/?c=auth&a=account2&u=login&p=password with automatic logout from previos account1?
@Alkarex
Copy link
Member

Alkarex commented Mar 21, 2019

Hello,
Have a look at the unsafe automatic login option:
image

@squromiv
Copy link
Author

squromiv commented Mar 21, 2019
edited
Loading

I know about it. But it works only if I manually logout from previous account in browser
4
.

@Alkarex Alkarex added this to the 1.14.0 milestone Mar 21, 2019
@Alkarex
Copy link
Member

Alkarex commented Mar 21, 2019

Ah, I see. I will look into it

Alkarex added a commit to Alkarex/FreshRSS that referenced this issue Mar 22, 2019
@Alkarex
Rework CSRF interaction with sessions
99e0d7a 
Fix FreshRSS#2288
Improve security in some edge cases
Maybe relevant for
FreshRSS#2125 (comment)
@Alkarex Alkarex mentioned this issue Mar 22, 2019
Merged
@Alkarex
Copy link
Member

Alkarex commented Mar 22, 2019

Would you be able to try #2290 ?

@squromiv
Copy link
Author

squromiv commented Mar 22, 2019
edited
Loading

@Alkarex
Tried. Can not login as an admin and other user at all.
6

Sorry, I closed the issue. I am not a programmer and still not able to work well with github.

@Alkarex Alkarex reopened this Mar 22, 2019
@Alkarex
Copy link
Member

Alkarex commented Mar 22, 2019

Thanks for the quick test. What method did you use to update the code for the test?

@squromiv
Copy link
Author

May be I am totally wrong (lack of experience), but I manually downloaded these files from here:
userController.php
authController.php
Auth.php
FreshRSS.php
main.js

And placed them into according folders of FreshRSS.

Alkarex added a commit that referenced this issue Mar 22, 2019
@Alkarex
Rework CSRF interaction with sessions (#2290)
ebd8c31 
* Rework CSRF interaction with sessions

Fix #2288
Improve security in some edge cases
Maybe relevant for
#2125 (comment)

* Forgotten mime type
@Alkarex
Copy link
Member

Alkarex commented Mar 22, 2019

@squromiv While that might work sometimes, especially at the beginning of the development of a new version, that assumes there is no conflicting change in other files.
To make it a bit easier, I have merged those changes in our development branch, which you can try by downloading https://github.com/FreshRSS/FreshRSS/archive/dev.zip
(All those things are easier when the install is done by git)

@squromiv
Copy link
Author

squromiv commented Mar 22, 2019
edited
Loading

@Alkarex
Thanks a lot. Checked dev version. Works as it should.

@Alkarex Alkarex closed this as completed Mar 23, 2019
Alkarex added a commit that referenced this issue Mar 23, 2019
@Alkarex
Changelog
ae1da83 
#2294
#2296
#2278
#2046
#2288
#2290
#2291
#2292
#2273
#2276
#2286
#2281
#2282
@Alkarex Alkarex mentioned this issue Mar 23, 2019
Merged
javerous pushed a commit to javerous/FreshRSS that referenced this issue Jan 20, 2020
@Alkarex
Rework CSRF interaction with sessions (FreshRSS#2290)
8087a90 
* Rework CSRF interaction with sessions

Fix FreshRSS#2288
Improve security in some edge cases
Maybe relevant for
FreshRSS#2125 (comment)

* Forgotten mime type
javerous pushed a commit to javerous/FreshRSS that referenced this issue Jan 20, 2020
@Alkarex
Changelog
2973089 
FreshRSS#2294
FreshRSS#2296
FreshRSS#2278
FreshRSS#2046
FreshRSS#2288
FreshRSS#2290
FreshRSS#2291
FreshRSS#2292
FreshRSS#2273
FreshRSS#2276
FreshRSS#2286
FreshRSS#2281
FreshRSS#2282
mdemoss pushed a commit to mdemoss/FreshRSS that referenced this issue Mar 25, 2021
@Alkarex @mdemoss
Rework CSRF interaction with sessions (FreshRSS#2290)
457aaf0 
* Rework CSRF interaction with sessions

Fix FreshRSS#2288
Improve security in some edge cases
Maybe relevant for
FreshRSS#2125 (comment)

* Forgotten mime type
mdemoss pushed a commit to mdemoss/FreshRSS that referenced this issue Mar 25, 2021
@Alkarex @mdemoss
Changelog
8490479 
FreshRSS#2294
FreshRSS#2296
FreshRSS#2278
FreshRSS#2046
FreshRSS#2288
FreshRSS#2290
FreshRSS#2291
FreshRSS#2292
FreshRSS#2273
FreshRSS#2276
FreshRSS#2286
FreshRSS#2281
FreshRSS#2282
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security 🛡️
Projects
None yet
Milestone
1.14.0
Development

No branches or pull requests
2 participants
@Alkarex @squromiv