Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatic logout #2288

Closed
squromiv opened this issue Mar 21, 2019 · 9 comments

Comments

Projects
None yet
2 participants
@squromiv
Copy link

commented Mar 21, 2019

Is there any way to login account2, opening address FreshRSS/p/i/?c=auth&a=account2&u=login&p=password with automatic logout from previos account1?

@Alkarex

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

Hello,
Have a look at the unsafe automatic login option:
image

@squromiv

This comment has been minimized.

Copy link
Author

commented Mar 21, 2019

I know about it. But it works only if I manually logout from previous account in browser
4
.

@Alkarex Alkarex added this to the 1.14.0 milestone Mar 21, 2019

@Alkarex

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

Ah, I see. I will look into it

Alkarex added a commit to Alkarex/FreshRSS that referenced this issue Mar 22, 2019

Rework CSRF interaction with sessions
Fix FreshRSS#2288
Improve security in some edge cases
Maybe relevant for
FreshRSS#2125 (comment)
@Alkarex

This comment has been minimized.

Copy link
Member

commented Mar 22, 2019

Would you be able to try #2290 ?

@squromiv

This comment has been minimized.

Copy link
Author

commented Mar 22, 2019

@Alkarex
Tried. Can not login as an admin and other user at all.
6

Sorry, I closed the issue. I am not a programmer and still not able to work well with github.

@squromiv squromiv closed this Mar 22, 2019

@Alkarex Alkarex reopened this Mar 22, 2019

@Alkarex

This comment has been minimized.

Copy link
Member

commented Mar 22, 2019

Thanks for the quick test. What method did you use to update the code for the test?

@squromiv

This comment has been minimized.

Copy link
Author

commented Mar 22, 2019

May be I am totally wrong (lack of experience), but I manually downloaded these files from here:
userController.php
authController.php
Auth.php
FreshRSS.php
main.js

And placed them into according folders of FreshRSS.

Alkarex added a commit that referenced this issue Mar 22, 2019

Rework CSRF interaction with sessions (#2290)
* Rework CSRF interaction with sessions

Fix #2288
Improve security in some edge cases
Maybe relevant for
#2125 (comment)

* Forgotten mime type
@Alkarex

This comment has been minimized.

Copy link
Member

commented Mar 22, 2019

@squromiv While that might work sometimes, especially at the beginning of the development of a new version, that assumes there is no conflicting change in other files.
To make it a bit easier, I have merged those changes in our development branch, which you can try by downloading https://github.com/FreshRSS/FreshRSS/archive/dev.zip
(All those things are easier when the install is done by git)

@squromiv

This comment has been minimized.

Copy link
Author

commented Mar 22, 2019

@Alkarex
Thanks a lot. Checked dev version. Works as it should.

@Alkarex Alkarex closed this Mar 23, 2019

Alkarex added a commit that referenced this issue Mar 23, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.