Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

0

CRITICAL: Access Security/Browser Session Concern on Public/Shared PCs

By
FPT MEDIA
on 3/29/15, 12:14 AM 1,088 views

I'm currently using Odoo Online and have been attempting to test new users over the past couple days. I've noticed that when using Chrome and Firefox the browser somehow remembers my userid and password. Even after I select log out from the top right menu bar and go so far as to close the browser window.

When I come back to the main site to login, I see the option to 'Sign In' on our website (providing the appearance that a user needs to sign in) but when I click on sign in the browser immediately logs me into the last logged in session. I discovered this when I was attempting to test different user settings and I wasn't able to do so.

When I did a search on Google, I saw that there is a cached result from February of someone who identified the same issue, but the link and post have been removed:

https://www.odoo.com/forum/help-1/question/public-pc-identity-access-security-concern-78075  

Is this a known issue and is it currently being addressed? We have shared devices at our work and this is a huge concern - especially when the manual Log Out process is ineffective and doesn't reset the session parameters. 

Is this just an issue with Odoo Online and the account synchronization or does it affect self-hosted as well?

Is this only an issue if there is a client website/qWeb service installed or for any situation?

0

Jérémy Kersten (jke)

--Jérémy Kersten (jke)--
2993
| 3 2 5
Jodoigne, Belgium
--Jérémy Kersten (jke)--

Jérémy is a member of the core R&D team since september 2013. He developed several projects for OpenERP version 8 including the eCommerce, the Google Calendar synchronization and the new product variants/configurator. Now, he manages Odoo website and themes for saas.

Jérémy Kersten (jke)
On 3/29/15, 6:31 AM

Hello

Odoo uses oAuth for authentication ! So I suppose that your problem is not a critical security issue, but a behavior to understand...


When you go to your_instance.odoo.com, Odoo check if you are already logged on the oAuth server (accounts.odoo.com).

If yes, you are logged again...

If no, you should to make login again (on server oAuth) ...


So when, you make a "Disconnect", from "your_instance.odoo.com", your are disconnected from your instance but not from the oAuth server... If you go to  accounts.odoo.com, you are still logged ! 


It's the same thing that when you use google to be authenticated on some other website. When you log out from these sites, your are not disconnected from Google !


UPDATE

If you don't want this behavior, you can change your logout behavior, by replacing the default logout by a link to 'https://accounts.odoo.com/web/session/logout?redirect=https://my.odoo.com/web/session/logout' to close your both sessions.


Hi Jeremy - unfortunately this is not like Google services. When I click "log out" from Google or other services, my session ID is terminated on the server side so the encryption hash is no longer valid without reauthenticating my credentials. Additionally, even after I close all browsers I can still log into the systems without passwords being re-entered. This is a security issue (whether the flaw is from design or through breach) where a user terminated session is not requiring a new session cookie or authentication. If someone selects "logout" and closes browsers, there is reasonable expectation that the system would require a username and password to regain access.

Flowerpot Media, FPT MEDIA
on 3/29/15, 6:41 AM

I agree with Jeremy. I think you are misunderstanding two scenarios: login into a service (e.g. google.com, odoo.com,...) and delegating the authentication to another service (stackoverflow.com, myinstance.odoo.com,...). In the first case you are actually connected to the main service, when you logout, your are out of the service (simple). In the second case, it's another service that is responsible to identify you (when you login into stackoverflow.com, you can delegate the authentication to google, facebook, yahoo,...; on myinstance.odoo.com, you can delegate to odoo.com, google,...). As the authentication service and the logged services are two different things, they are independent. If you used Google to login onto Stackoverflow, loging out of stackoverflow will NOT kick you out of gmail or other Google services. For odoo it's the same: if you are logged into alice.odoo.com and bob.odoo.com with the same odoo user, logging out of alice.odoo.com should not log you out of bob.odoo.com or odoo.com. By the way, with auth_oauth plugin, you can change your server to use google instead of odoo.com to authenticate you if you wish to do so.

Martin Trigaux (mat)
on 3/30/15, 3:56 AM
2
Gregory Dover
On 3/29/15, 1:27 PM

I wholeheartedly agree with FPT Media's comment that the Odoo SaaS "log out" functionality is a security issue and should be fixed as soon as possible. When a user click logout, Odoo must take care of terminating sessions and cookies relating to authentication. Furthermore, it would be great to have a button similar to Google's Gmail service that would allow you to "Sign out all other web sessions". When clicked Google terminates all sessions across all platforms (mobile and web).

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

2 follower(s)

Stats

Asked: 3/29/15, 12:14 AM
Seen: 1088 times
Last updated: 9/1/15, 7:32 AM