User Can't Logout Once Looged-in
jtheanalytica opened this issue · 6 comments
Hello Jeremy;
Please have a look at this. Is this normal?
Once I'm logged in with a user, and then try to logout, I'm stuck as logged-in; no matter how many times I try.
The only way to get this work is by resetting the Firefox history.
See snapshot.
I don't know if the following is related in any way, but when I first registered the user, at the bottom, it showed me a message about Posted Token (Validation not performed).
See snapshot.
Thanks
Hello. The "Validation not Performed" message is normal in Security Level 0 since CSRF validation is not checked in level 0.
I tested the "logout" issue on Mutillidae 2.10.2. The issue is that in Level 0, the user information is cached by the browser. If you use the "Back" button, the browser recalls the information from the cache and recreates the logged-in page. If you change the security level to Level 5, Mutillidae implements cache control headers, which prevents the issue.
Mutillidae is vulnerable to authentication caching in Level 0, but this is an intentional vulnerability so this type of issue can be demonstrated in classes. This is a bug, but the bug is on purpose if that makes sense.
However, to make the issue less confusing, I changed the Logout redirect to send the user back to the "Home" page, to make a clean break between the Logout experience and the Login experience. This is available in version 2.10.3.
If you try the same sequence in Level 5, the site should not be vulnerable to the issue.
Hi Jeremy;
thanks.
Just to let you know that now the logout experience looks like the following (see snapshot) in the new update 2.10.3.
Another three notes here:
First: Is there any way to update to a newer version without having to "clone git" the file, and redo any configurations I previously did?
The other thing: I noticed whenever I tried to create a new user - in Security levels 1 and 5, I got the following error (see snapshot). I don't know whether that existed in the previous releases as I never tried doing it.
The third relates to the Help Me!. It just doesn't work - even in the previous release.
Thanks again.
Thanks. The third item, the Help Button, was a bug. This is fixed in 2.10.4 along with 3 similar bugs in other classes. The JavaScript popup is normal in Level 1 and Level 5. The idea is that you get around the popup by manipulating the JavaScript on the page.
Thanks, Jeremy.
Any help whether there were any way to update to a newer version without having to "clone git" the file, and redo any configurations I previously did?
Thanks
git clone pulls down the current version of the project. If you made any changes that you want to keep, you have to "stash" the files that you want to keep, then restore those files after the clone. Of course, if the new version improved those same files, you might have an issue, but this is not common. If your think your changes improve the project, you can submit them as a Pull Request and they will be incorporated into the project itself if those changes improve the project for all users.
I have opened issue #32 with a suggested solution
I had cloned 2.10.5-1-g7fc4333 and the bug was still there