Results 1 to 10 of 10

Thread: WebMail Logout Should be Definitive

  1. #1
    Registered Member
    Join Date
    Aug 2007
    Posts
    8

    Default WebMail Logout Should be Definitive

    A client of mine just informed me that when he logs out from WebMail, then goes back to the same URL, he is logged back in again. I verified this. Others are upset about it as well.

    http://forums.cpanel.net/f5/email-no...rly-20428.html

    You can't really log out of WebMail unless you completely close the browser. This is unacceptable -- proper session management would make solving this trivial. PLEASE fix this in future versions. Most people won't know they have to close the browser, and in many cases of public terminals they apparently cannot close the browser completely.

  2. #2
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,554
    cPanel/WHM Access Level

    DataCenter Provider

    Lightbulb

    I attempted to reproduce the issue but I was unable to do so using the latest EDGE build of cPanel version 11.25. When testing I logged-in to webmail using SSL on port 2096, successfully loaded the webmail index, then clicked the logout link in the upper-right corner of the page; upon trying to re-access the webmail index page (i.e., the page shown immediately after logging-in) I was prompted with a login screen; I tested with HTTP authentication (where cookie authentication is disabled).

    What is your full cPanel version number?

    What port is being used when accessing webmail? (Examples: non-SSL on 2095, or SSL on 2096)

    Is cookie authentication enabled or disabled (in WHM Tweak Settings)?

    What is the precise method and exact steps being used to login, logout, and then go back (and go back to what URL)? Please try to provide as much detail as possible so we may accurately attempt to reproduce the issue.

    Moderator Note: I've relocated the thread into the cPanel and WHM Discussions forum.

  3. #3
    Registered User
    Join Date
    Nov 2009
    Posts
    2

    Default Cannot logout from webmail

    Bump for the first post. My instance of cPanel also behaves the same.

    If clicking "Logout" or "Sign Out" in any of the webmail clients (Horder,Squirrel,Roundcube) user is taken to: http://www.domain.com:2095/webmaillogout.cgi - showing logout message.

    However, if http://www.domain.com:2095 is loaded, user is taken to: http://www.domain.com:2095/webmail/x3/?login=1, with full login rights.

    Closing the browser has no affect. User can still access webmail control panel without authentication. Using 2096 (SSL) exhibits the SAME behaviour.

    Browser: Safari Version 4.0.3 (5531.9)

    cPanel info:
    cPanel Version 11.24.5-RELEASE
    cPanel Build 38506
    Theme x3
    Apache version 1.3.37 (Unix)
    PHP version 4.4.3
    MySQL version 4.1.22-standard
    Architecture i686
    Operating system Linux

  4. #4
    Registered User
    Join Date
    Nov 2009
    Posts
    2

    Default

    Just to add to the above post: deleting cookies does not affect behaviour.

    In Safari: Selecting Safari>Preferences>Security>Show All Cookies>Remove all.

    User can still access mail via http://www.domain.com:2095/

    It seems this instance of cPanel is also exhibiting the same behaviour for the domain control panel via www.domain.com:2082. I.e., not logging out, and allowing unauthenticated access via the 2082 url.

  5. #5
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,554
    cPanel/WHM Access Level

    DataCenter Provider

    Lightbulb

    Quote Originally Posted by btx5 View Post
    Bump for the first post. My instance of cPanel also behaves the same.

    If clicking "Logout" or "Sign Out" in any of the webmail clients (Horder,Squirrel,Roundcube) user is taken to: http://www.domain.com:2095/webmaillogout.cgi - showing logout message.

    However, if http://www.domain.com:2095 is loaded, user is taken to: http://www.domain.com:2095/webmail/x3/?login=1, with full login rights.

    Closing the browser has no affect. User can still access webmail control panel without authentication. Using 2096 (SSL) exhibits the SAME behaviour.

    Browser: Safari Version 4.0.3 (5531.9)

    cPanel info:
    cPanel Version 11.24.5-RELEASE
    cPanel Build 38506
    Theme x3
    Apache version 1.3.37 (Unix)
    PHP version 4.4.3
    MySQL version 4.1.22-standard
    Architecture i686
    Operating system Linux
    Quote Originally Posted by btx5 View Post
    Just to add to the above post: deleting cookies does not affect behaviour.

    In Safari: Selecting Safari>Preferences>Security>Show All Cookies>Remove all.

    User can still access mail via http://www.domain.com:2095/

    It seems this instance of cPanel is also exhibiting the same behaviour for the domain control panel via www.domain.com:2082. I.e., not logging out, and allowing unauthenticated access via the 2082 url.
    So that we can more thoroughly inspect the reported issue please submit a ticket; if needed, the link in my forums signature may be used to initiate a ticket submission. When available, please PM me the ticket number.

  6. #6
    cPanel Product Evangelist Infopro's Avatar
    Join Date
    May 2003
    Location
    Pennsylvania
    Posts
    11,411
    cPanel/WHM Access Level

    Root Administrator

    Lightbulb

    Quote Originally Posted by webr00t View Post
    A client of mine just informed me that when he logs out from WebMail, then goes back to the same URL, he is logged back in again. I verified this. Others are upset about it as well.

    http://forums.cpanel.net/f5/email-no...rly-20428.html
    That thread is years old. I don't see anyone upset, more of asking why, there.

    Quote Originally Posted by webr00t View Post
    You can't really log out of WebMail unless you completely close the browser. This is unacceptable -- proper session management would make solving this trivial. PLEASE fix this in future versions. Most people won't know they have to close the browser, and in many cases of public terminals they apparently cannot close the browser completely.
    You don't mention the browser used, how many windows were open, etc, but ending a session by closing the browser is quite normal.

    Why do browsers implement Session Merging?
    Proper support for Session Merging is important because most web applications are written to expect it. For instance, when a web application opens a popup window, it usually does so with the expectation that the popup window will share cookies with the main window, so that the user will remain logged in and their preferences will remain available, etc. Similarly, when the user uses the Duplicate Tab command, they reasonably expect the new tab to show them the same content as the original tab-- sharing cookies is critical for that scenario to work correctly.
    Quoted from this link: Session Cookies, sessionStorage, and IE8

    You might like to read the rest of it there.

  7. #7
    Registered User
    Join Date
    Aug 2008
    Posts
    1

    Exclamation Safari and Chrome won't log out... at all !

    I am also having this problem, after logging in to webmail I was unable to log out, at all.
    So far only in Safari and Chrome.
    Everything seems to work fine in Firefox and Opera.

    * Tested on one window with a single tab.
    * Tested on both SSL and non-SSL (2095 & 2096).

    I was able to go straight back in to webmail after:
    - Logging out and seeing logged out message.
    - Logging out then closing and re-opening a window.
    - Logging out then quitting and then re-launching the application.

    I really don't see this as normal behaviour. It's a major problem and my users will go nuts when they realise this problem exists.
    Last edited by MAXp0wr; 12-19-2009 at 04:50 PM. Reason: Forgot to mention about SSL

  8. #8
    Registered Member cPanel Partner NOC Badge
    Join Date
    Jul 2003
    Posts
    130

    Default

    This is an issue that happens in all Safari versions on the new webmail. I've verified this with several different Windows/Mac Safari installations

    Login to Webmail. Click on Logout on top right. Choose to log back in on the log out screen. It will log you back in without asking for a password.

    We are running the latest RELEASE version. This has been tested on several different servers as well.
    Arvixe - Freedom of the web at your fingertips

  9. #9
    cPanel Product Evangelist Infopro's Avatar
    Join Date
    May 2003
    Location
    Pennsylvania
    Posts
    11,411
    cPanel/WHM Access Level

    Root Administrator

    Lightbulb

    I don't use safari for much other than quick testing at times. The version I had installed was beta 4 up until a few minutes ago. Using that one, I logged into cPanel and then into webmail > RoundCube. After viewing mailbox I clicked logout and then got the do you want to login again, I clicked it and it did ask me for my password as I would expect. I closed the browser and then decided to upgrade it to the latest and try again.

    All browsers closed, I open Safari 4.0.4 and type in mydomain.com/cpanel and hit enter. I'm already logged in. No password check, no message about cert, nothing.

    On the top right corner of Safari is an icon to some tools. One of those tools is called Reset Safari, it clears everything similar to IE8's Delete Browsing History. I clicked that, then closed Safari then reopened and typed in the domain again as before. This time it asks for my password, as expected.

    This is a browser caching issue it seems to me, not a cPanel problem.

  10. #10
    Registered Member cPanel Partner NOC Badge
    Join Date
    Jul 2003
    Posts
    130

    Default

    Received the following response from cPanelDon:

    Using the provided test account I was able to reproduce the issue in Safari 4.0.4 (6531.21.10) and Google Chrome 4.0.295.0-dev on Mac OS X 10.6.2 Snow Leopard; however, to note, both Safari and Google Chrome use the WebKit engine, unlike Opera and Firefox. In Opera 10.10, Build 6795, I experienced differing, inconclusive results; initially it appeared to exhibit the same behavior but on subsequent attempts it logged-out normally. In Mozilla Firefox 3.6pre I was unable to reproduce the issue.

    Researching internally, per case IDs #31553 and #33444, revealed the difficulty stems from browser-specific session handling when using HTTP Authentication. Additional informational reference: TrueHttpLogoutPatch - Trac Hacks - Plugins Macros etc. - Trac

    As a resolution I recommend switching to cookie-based log-ins for authentication; this may be configured via WHM Tweak Settings within the Security options. Tweak Settings
    Arvixe - Freedom of the web at your fingertips

Similar Threads

  1. Webmail not able to logout
    By SupermanInNY in forum E-mail Discussions
    Replies: 2
    Last Post: 06-25-2004, 11:53 PM
  2. redirect to site from webmail logout???
    By tsg247 in forum E-mail Discussions
    Replies: 0
    Last Post: 06-25-2004, 10:23 AM
  3. WebMail logout problems
    By BackRack in forum E-mail Discussions
    Replies: 3
    Last Post: 05-10-2004, 12:28 PM
  4. webmail logout error
    By whitehat in forum E-mail Discussions
    Replies: 8
    Last Post: 04-14-2004, 03:35 PM
  5. webmail logout error
    By NNNils in forum E-mail Discussions
    Replies: 0
    Last Post: 03-23-2004, 03:51 AM

Tags for this Thread

bargain