I'm currently using Odoo Online and have been attempting to test new users over the past couple days. I've noticed that when using Chrome and Firefox the browser somehow remembers my userid and password. Even after I select log out from the top right menu bar and go so far as to close the browser window.
When I come back to the main site to login, I see the option to 'Sign In' on our website (providing the appearance that a user needs to sign in) but when I click on sign in the browser immediately logs me into the last logged in session. I discovered this when I was attempting to test different user settings and I wasn't able to do so.
When I did a search on Google, I saw that there is a cached result from February of someone who identified the same issue, but the link and post have been removed:
Is this a known issue and is it currently being addressed? We have shared devices at our work and this is a huge concern - especially when the manual Log Out process is ineffective and doesn't reset the session parameters.
Is this just an issue with Odoo Online and the account synchronization or does it affect self-hosted as well?
Is this only an issue if there is a client website/qWeb service installed or for any situation?
Odoo uses oAuth for authentication ! So I suppose that your problem is not a critical security issue, but a behavior to understand...
When you go to your_instance.odoo.com, Odoo check if you are already logged on the oAuth server (accounts.odoo.com).
If yes, you are logged again...
If no, you should to make login again (on server oAuth) ...
So when, you make a "Disconnect", from "your_instance.odoo.com", your are disconnected from your instance but not from the oAuth server... If you go to accounts.odoo.com, you are still logged !
It's the same thing that when you use google to be authenticated on some other website. When you log out from these sites, your are not disconnected from Google !
If you don't want this behavior, you can change your logout behavior, by replacing the default logout by a link to 'https://accounts.odoo.com/web/session/logout?redirect=https://my.odoo.com/web/session/logout' to close your both sessions.
I wholeheartedly agree with FPT Media's comment that the Odoo SaaS "log out" functionality is a security issue and should be fixed as soon as possible. When a user click logout, Odoo must take care of terminating sessions and cookies relating to authentication. Furthermore, it would be great to have a button similar to Google's Gmail service that would allow you to "Sign out all other web sessions". When clicked Google terminates all sessions across all platforms (mobile and web).
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 3/29/15, 12:14 AM|
|Seen: 1081 times|
|Last updated: 9/1/15, 7:32 AM|