Announcement

Collapse
No announcement yet.

Release 6.20.0: Switch to turn on insecure login methods

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Release 6.20.0: Switch to turn on insecure login methods

    The action redirect of the login servlet takes a one time token and redirects the user then to his session. Unfortunately we discover errors in the infrastructure around Open-Xchange that causes those one time tokens to be sent to the wrong clients. So wrong clients get redirected into some users session. The action redirect rewrites IP and User-Agent in the session, so this is possible.

    To prevent this the action redirect will from now on by default not rewrite client IP and User-Agent. Then a wrongly sent one time token will be denied when accessing Open-Xchange. To enable the old behavior a switch is added to /opt/open-xchange/etc/groupware/login.properties configuration file. The property looks like this:

    # Configures whether an insecure login is allowed. Meaning if local IP and/or user-agent strings are replaced in associated user session on
    # login redirect or login redeem requests. To create a session from a server for some client you have to pass the clients IP address when
    # creating the session.
    # WARNING! Setting this parameter to true may result in users seeing a different users content if the infrastructure around OX does not work
    # correctly.
    com.openexchange.ajax.login.insecure=false

    The property is purposely named insecure because it enables possibly insecure operations of the login servlet that may lead to security problems. Administrators switching that behavior should be warned!
Working...
X