This question has been flagged
3 Replies
6235 Views
securitychromepasswordbrowserlogin
Avatar
FPT MEDIA

I'm currently using Odoo Online and have been attempting to test new users over the past couple days. I've noticed that when using Chrome and Firefox the browser somehow remembers my userid and password. Even after I select log out from the top right menu bar and go so far as to close the browser window.

When I come back to the main site to login, I see the option to 'Sign In' on our website (providing the appearance that a user needs to sign in) but when I click on sign in the browser immediately logs me into the last logged in session. I discovered this when I was attempting to test different user settings and I wasn't able to do so.

When I did a search on Google, I saw that there is a cached result from February of someone who identified the same issue, but the link and post have been removed:

https://www.odoo.com/forum/help-1/question/public-pc-identity-access-security-concern-78075  

Is this a known issue and is it currently being addressed? We have shared devices at our work and this is a huge concern - especially when the manual Log Out process is ineffective and doesn't reset the session parameters. 

Is this just an issue with Odoo Online and the account synchronization or does it affect self-hosted as well?

Is this only an issue if there is a client website/qWeb service installed or for any situation?

Avatar
Discard
Avatar
Jérémy Kersten (jke)
Best Answer

Hello

Odoo uses oAuth for authentication ! So I suppose that your problem is not a critical security issue, but a behavior to understand...


When you go to your_instance.odoo.com, Odoo check if you are already logged on the oAuth server (accounts.odoo.com).

If yes, you are logged again...

If no, you should to make login again (on server oAuth) ...


So when, you make a "Disconnect", from "your_instance.odoo.com", your are disconnected from your instance but not from the oAuth server... If you go to  accounts.odoo.com, you are still logged ! 


It's the same thing that when you use google to be authenticated on some other website. When you log out from these sites, your are not disconnected from Google !


UPDATE

If you don't want this behavior, you can change your logout behavior, by replacing the default logout by a link to 'https://accounts.odoo.com/web/session/logout?redirect=https://my.odoo.com/web/session/logout' to close your both sessions.


Avatar
Discard
OdooBot

Hi Jeremy - unfortunately this is not like Google services. When I click "log out" from Google or other services, my session ID is terminated on the server side so the encryption hash is no longer valid without reauthenticating my credentials. Additionally, even after I close all browsers I can still log into the systems without passwords being re-entered. This is a security issue (whether the flaw is from design or through breach) where a user terminated session is not requiring a new session cookie or authentication. If someone selects "logout" and closes browsers, there is reasonable expectation that the system would require a username and password to regain access.

Martin Trigaux (mat)

I agree with Jeremy. I think you are misunderstanding two scenarios: login into a service (e.g. google.com, odoo.com,...) and delegating the authentication to another service (stackoverflow.com, myinstance.odoo.com,...). In the first case you are actually connected to the main service, when you logout, your are out of the service (simple). In the second case, it's another service that is responsible to identify you (when you login into stackoverflow.com, you can delegate the authentication to google, facebook, yahoo,...; on myinstance.odoo.com, you can delegate to odoo.com, google,...). As the authentication service and the logged services are two different things, they are independent. If you used Google to login onto Stackoverflow, loging out of stackoverflow will NOT kick you out of gmail or other Google services. For odoo it's the same: if you are logged into alice.odoo.com and bob.odoo.com with the same odoo user, logging out of alice.odoo.com should not log you out of bob.odoo.com or odoo.com. By the way, with auth_oauth plugin, you can change your server to use google instead of odoo.com to authenticate you if you wish to do so.

Avatar
Gregory Dover
Best Answer

I wholeheartedly agree with FPT Media's comment that the Odoo SaaS "log out" functionality is a security issue and should be fixed as soon as possible. When a user click logout, Odoo must take care of terminating sessions and cookies relating to authentication. Furthermore, it would be great to have a button similar to Google's Gmail service that would allow you to "Sign out all other web sessions". When clicked Google terminates all sessions across all platforms (mobile and web).

Avatar
Discard