Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Бухгалтерия
Склад
PoS
Проекты
MRP

All apps

Все посты Люди Значки

Теги (Смотреть все)

odoo accounting v14 pos v15

Об этом форуме

Помощь

CRITICAL: Access Security/Browser Session Concern on Public/Shared PCs

security chrome password browser login

3 Ответы

9279 Представления

FPT MEDIA

I'm currently using Odoo Online and have been attempting to test new users over the past couple days. I've noticed that when using Chrome and Firefox the browser somehow remembers my userid and password. Even after I select log out from the top right menu bar and go so far as to close the browser window.

When I come back to the main site to login, I see the option to 'Sign In' on our website (providing the appearance that a user needs to sign in) but when I click on sign in the browser immediately logs me into the last logged in session. I discovered this when I was attempting to test different user settings and I wasn't able to do so.

When I did a search on Google, I saw that there is a cached result from February of someone who identified the same issue, but the link and post have been removed:

https://www.odoo.com/forum/help-1/question/public-pc-identity-access-security-concern-78075

Is this a known issue and is it currently being addressed? We have shared devices at our work and this is a huge concern - especially when the manual Log Out process is ineffective and doesn't reset the session parameters.

Is this just an issue with Odoo Online and the account synchronization or does it affect self-hosted as well?

Is this only an issue if there is a client website/qWeb service installed or for any situation?

Jérémy Kersten (jke)

Лучший ответ

Hello

Odoo uses oAuth for authentication ! So I suppose that your problem is not a critical security issue, but a behavior to understand...

When you go to your_instance.odoo.com, Odoo check if you are already logged on the oAuth server (accounts.odoo.com).

If yes, you are logged again...

If no, you should to make login again (on server oAuth) ...

So when, you make a "Disconnect", from "your_instance.odoo.com", your are disconnected from your instance but not from the oAuth server... If you go to accounts.odoo.com, you are still logged !

It's the same thing that when you use google to be authenticated on some other website. When you log out from these sites, your are not disconnected from Google !

UPDATE

If you don't want this behavior, you can change your logout behavior, by replacing the default logout by a link to 'https://accounts.odoo.com/web/session/logout?redirect=https://my.odoo.com/web/session/logout' to close your both sessions.

OdooBot

Hi Jeremy - unfortunately this is not like Google services. When I click "log out" from Google or other services, my session ID is terminated on the server side so the encryption hash is no longer valid without reauthenticating my credentials. Additionally, even after I close all browsers I can still log into the systems without passwords being re-entered. This is a security issue (whether the flaw is from design or through breach) where a user terminated session is not requiring a new session cookie or authentication. If someone selects "logout" and closes browsers, there is reasonable expectation that the system would require a username and password to regain access.

Martin Trigaux (mat)

I agree with Jeremy. I think you are misunderstanding two scenarios: login into a service (e.g. google.com, odoo.com,...) and delegating the authentication to another service (stackoverflow.com, myinstance.odoo.com,...). In the first case you are actually connected to the main service, when you logout, your are out of the service (simple). In the second case, it's another service that is responsible to identify you (when you login into stackoverflow.com, you can delegate the authentication to google, facebook, yahoo,...; on myinstance.odoo.com, you can delegate to odoo.com, google,...). As the authentication service and the logged services are two different things, they are independent. If you used Google to login onto Stackoverflow, loging out of stackoverflow will NOT kick you out of gmail or other Google services. For odoo it's the same: if you are logged into alice.odoo.com and bob.odoo.com with the same odoo user, logging out of alice.odoo.com should not log you out of bob.odoo.com or odoo.com. By the way, with auth_oauth plugin, you can change your server to use google instead of odoo.com to authenticate you if you wish to do so.

Gregory Dover

I wholeheartedly agree with FPT Media's comment that the Odoo SaaS "log out" functionality is a security issue and should be fixed as soon as possible. When a user click logout, Odoo must take care of terminating sessions and cookies relating to authentication. Furthermore, it would be great to have a button similar to Google's Gmail service that would allow you to "Sign out all other web sessions". When clicked Google terminates all sessions across all platforms (mobile and web).

Не оставайтесь в стороне – присоединяйтесь к обсуждению!

Создайте аккаунт сегодня, чтобы получить доступ к эксклюзивным функциям и стать частью нашего замечательного сообщества!

Регистрация

Похожие посты	Ответы	Просмотры
[V10] Invalidated Cache / Login impossible Решено security password login v10 chache	2 мая 18	10041
how can I change my password security password employee login openerp7	1 мар. 15	5309
Problem with 2 factor authentication security login	0 окт. 23	2873
How can I find the admin login and password after installing Odoo? Решено password login	4 авг. 22	123632
How to fix An error happen only in one device? Weird. But it happen javascript chrome browser	0 февр. 25	1745

Этот вопрос был отмечен

Не оставайтесь в стороне – присоединяйтесь к обсуждению!