Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

Müşteri İlişkileri Yönetimi
e-Commerce
Muhasebe
Envanter
PoS
Proje Yönetimi
MRP

All apps

All Posts People Badges

Etiketler (View all)

odoo accounting v14 pos v15

About this forum

Yardım

CRITICAL: Access Security/Browser Session Concern on Public/Shared PCs

security chrome password browser login

3 Cevaplar

9223 Görünümler

FPT MEDIA

I'm currently using Odoo Online and have been attempting to test new users over the past couple days. I've noticed that when using Chrome and Firefox the browser somehow remembers my userid and password. Even after I select log out from the top right menu bar and go so far as to close the browser window.

When I come back to the main site to login, I see the option to 'Sign In' on our website (providing the appearance that a user needs to sign in) but when I click on sign in the browser immediately logs me into the last logged in session. I discovered this when I was attempting to test different user settings and I wasn't able to do so.

When I did a search on Google, I saw that there is a cached result from February of someone who identified the same issue, but the link and post have been removed:

https://www.odoo.com/forum/help-1/question/public-pc-identity-access-security-concern-78075

Is this a known issue and is it currently being addressed? We have shared devices at our work and this is a huge concern - especially when the manual Log Out process is ineffective and doesn't reset the session parameters.

Is this just an issue with Odoo Online and the account synchronization or does it affect self-hosted as well?

Is this only an issue if there is a client website/qWeb service installed or for any situation?

Jérémy Kersten (jke)

En İyi Yanıt

Hello

Odoo uses oAuth for authentication ! So I suppose that your problem is not a critical security issue, but a behavior to understand...

When you go to your_instance.odoo.com, Odoo check if you are already logged on the oAuth server (accounts.odoo.com).

If yes, you are logged again...

If no, you should to make login again (on server oAuth) ...

So when, you make a "Disconnect", from "your_instance.odoo.com", your are disconnected from your instance but not from the oAuth server... If you go to accounts.odoo.com, you are still logged !

It's the same thing that when you use google to be authenticated on some other website. When you log out from these sites, your are not disconnected from Google !

UPDATE

If you don't want this behavior, you can change your logout behavior, by replacing the default logout by a link to 'https://accounts.odoo.com/web/session/logout?redirect=https://my.odoo.com/web/session/logout' to close your both sessions.

OdooBot

Hi Jeremy - unfortunately this is not like Google services. When I click "log out" from Google or other services, my session ID is terminated on the server side so the encryption hash is no longer valid without reauthenticating my credentials. Additionally, even after I close all browsers I can still log into the systems without passwords being re-entered. This is a security issue (whether the flaw is from design or through breach) where a user terminated session is not requiring a new session cookie or authentication. If someone selects "logout" and closes browsers, there is reasonable expectation that the system would require a username and password to regain access.

Martin Trigaux (mat)

I agree with Jeremy. I think you are misunderstanding two scenarios: login into a service (e.g. google.com, odoo.com,...) and delegating the authentication to another service (stackoverflow.com, myinstance.odoo.com,...). In the first case you are actually connected to the main service, when you logout, your are out of the service (simple). In the second case, it's another service that is responsible to identify you (when you login into stackoverflow.com, you can delegate the authentication to google, facebook, yahoo,...; on myinstance.odoo.com, you can delegate to odoo.com, google,...). As the authentication service and the logged services are two different things, they are independent. If you used Google to login onto Stackoverflow, loging out of stackoverflow will NOT kick you out of gmail or other Google services. For odoo it's the same: if you are logged into alice.odoo.com and bob.odoo.com with the same odoo user, logging out of alice.odoo.com should not log you out of bob.odoo.com or odoo.com. By the way, with auth_oauth plugin, you can change your server to use google instead of odoo.com to authenticate you if you wish to do so.

Gregory Dover

I wholeheartedly agree with FPT Media's comment that the Odoo SaaS "log out" functionality is a security issue and should be fixed as soon as possible. When a user click logout, Odoo must take care of terminating sessions and cookies relating to authentication. Furthermore, it would be great to have a button similar to Google's Gmail service that would allow you to "Sign out all other web sessions". When clicked Google terminates all sessions across all platforms (mobile and web).

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Üye Ol

İlgili Gönderiler	Cevaplar	Görünümler
[V10] Invalidated Cache / Login impossible Çözüldü security password login v10 chache	2 May 18	10002
how can I change my password security password employee login openerp7	1 Mar 15	5274
Problem with 2 factor authentication security login	0 Eki 23	2851
How can I find the admin login and password after installing Odoo? Çözüldü password login	4 Ağu 22	123379
How to fix An error happen only in one device? Weird. But it happen javascript chrome browser	0 Şub 25	1717

Bu soru işaretlendi

Enjoying the discussion? Don't just read, join in!