Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web client stayed logged in when using multiple tabs #2347

Closed
1 of 2 tasks
ineffyble opened this issue Apr 23, 2017 · 5 comments
Closed
1 of 2 tasks

Web client stayed logged in when using multiple tabs #2347

ineffyble opened this issue Apr 23, 2017 · 5 comments
Labels
bug Something isn't working security Security issues and fixes, vulnerabilities

Comments

@ineffyble
Copy link
Member

Steps to replicate:

  • Log in to the web client
  • Open a new tab
  • Log out in the second tab
  • Log in to another account in the second tab
  • Switch to first tab
  • Toot

Expected: Error message, or first tab client logs out

Actual: Toot is successfully published from the first account

  • I searched or browsed the repo’s other issues to ensure this is not a duplicate.
  • This bug happens on a tagged release and not on master (If you're a user, don't worry about this).
@ashfurrow ashfurrow added bug Something isn't working priority - high security Security issues and fixes, vulnerabilities labels Apr 23, 2017
@ashfurrow
Copy link
Contributor

Yikes!

@ashfurrow ashfurrow mentioned this issue Apr 23, 2017
Closed
@Gargron
Copy link
Member

Gargron commented May 2, 2017

This shouldn't be weird really? Web client uses an OAuth access token. While your page is open, the access token stays the same so you can keep using the API. If you reload the page you won't have access to the access token anymore.

@daprice
Copy link
Contributor

daprice commented May 26, 2017
edited

This might be worse than previously thought. On iOS Safari I can do the following:

  1. Start with a tab logged in to mastodon
  2. log out
  3. close the tab
  4. leave the browser and come back to it later
  5. reopen the closed tab from history by holding down the "+" button
  6. press the back button to get back to the timeline

…and be able to toot/favorite/boost without having to enter any credentials. This has to do with Safari saving the page state along with browsing history, and I believe Firefox/Chrome do something similar.

As far as I can tell, this means that in order to prevent someone else from gaining complete access to their account, a user on a shared device would have to either (a) reset the browser (i.e. clear history, cookies, and any saved window/tab state) when finished using Mastodon, or (b) only ever use Mastodon with private browsing and close the tab after logging out.

@Gargron
Copy link
Member

Gargron commented May 26, 2017

So uh.. I guess we could store the access token in a cookie then? Instead of having it in the HTML.

@daprice
Copy link
Contributor

daprice commented May 26, 2017

Regardless of where the access token is stored, shouldn't it be invalidated on the server side when the user logs out, per https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Manual_Session_Expiration ?

@Gargron Gargron mentioned this issue Jun 24, 2017
Merged
Gargron added a commit that referenced this issue Jun 25, 2017
@Gargron
Fix #2347 - Bind web UI access token to session
c9ee7ea 
When you logout, session also destroys the access token, so it's no longer
valid. If access token is destroyed some other way, the session is also
destroyed, requiring a re-login.

Fix #1681 - Add scheduler to remove revoked access tokens and grants
@Gargron Gargron mentioned this issue Jun 25, 2017
Merged
Gargron added a commit that referenced this issue Jun 25, 2017
@Gargron
Bind web UI access tokens to sessions (#3940)
ed7dc17 
* Add overview of active sessions

* Better display of browser/platform name

* Improve how browser information is stored and displayed for sessions overview

* Fix test

* Fix #2347 - Bind web UI access token to session

When you logout, session also destroys the access token, so it's no longer
valid. If access token is destroyed some other way, the session is also
destroyed, requiring a re-login.

Fix #1681 - Add scheduler to remove revoked access tokens and grants

* Fix test
mkody pushed a commit to im-in-space/mastodon that referenced this issue Jul 31, 2023
@Plastikmensch
Remove .orig files (mastodon#2347)
e02510c 
Signed-off-by: Plastikmensch <plastikmensch@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working security Security issues and fixes, vulnerabilities
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Gargron @ashfurrow @ineffyble @daprice