WebMail Logout Should be Definitive

[webr00t]

A client of mine just informed me that when he logs out from WebMail, then goes back to the same URL, he is logged back in again. I verified this. Others are upset about it as well.

http://forums.cpanel.net/f5/email-no...rly-20428.html

You can't really log out of WebMail unless you completely close the browser. This is unacceptable -- proper session management would make solving this trivial. PLEASE fix this in future versions. Most people won't know they have to close the browser, and in many cases of public terminals they apparently cannot close the browser completely.

[cPanelDon]

I attempted to reproduce the issue but I was unable to do so using the latest EDGE build of cPanel version 11.25. When testing I logged-in to webmail using SSL on port 2096, successfully loaded the webmail index, then clicked the logout link in the upper-right corner of the page; upon trying to re-access the webmail index page (i.e., the page shown immediately after logging-in) I was prompted with a login screen; I tested with HTTP authentication (where cookie authentication is disabled).

What is your full cPanel version number?

What port is being used when accessing webmail? (Examples: non-SSL on 2095, or SSL on 2096)

Is cookie authentication enabled or disabled (in WHM Tweak Settings)?

What is the precise method and exact steps being used to login, logout, and then go back (and go back to what URL)? Please try to provide as much detail as possible so we may accurately attempt to reproduce the issue.

Moderator Note: I've relocated the thread into the cPanel and WHM Discussions forum.

[btx5]

Bump for the first post. My instance of cPanel also behaves the same.

If clicking "Logout" or "Sign Out" in any of the webmail clients (Horder,Squirrel,Roundcube) user is taken to: http://www.domain.com:2095/webmaillogout.cgi - showing logout message.

However, if http://www.domain.com:2095 is loaded, user is taken to: http://www.domain.com:2095/webmail/x3/?login=1, with full login rights.

Closing the browser has no affect. User can still access webmail control panel without authentication. Using 2096 (SSL) exhibits the SAME behaviour.

Browser: Safari Version 4.0.3 (5531.9)

cPanel info:
cPanel Version 11.24.5-RELEASE
cPanel Build 38506
Theme x3
Apache version 1.3.37 (Unix)
PHP version 4.4.3
MySQL version 4.1.22-standard
Architecture i686
Operating system Linux

[btx5]

Just to add to the above post: deleting cookies does not affect behaviour.

In Safari: Selecting Safari>Preferences>Security>Show All Cookies>Remove all.

User can still access mail via http://www.domain.com:2095/

It seems this instance of cPanel is also exhibiting the same behaviour for the domain control panel via www.domain.com:2082. I.e., not logging out, and allowing unauthenticated access via the 2082 url.

[cPanelDon]

Bump for the first post. My instance of cPanel also behaves the same.

If clicking "Logout" or "Sign Out" in any of the webmail clients (Horder,Squirrel,Roundcube) user is taken to: http://www.domain.com:2095/webmaillogout.cgi - showing logout message.

However, if http://www.domain.com:2095 is loaded, user is taken to: http://www.domain.com:2095/webmail/x3/?login=1, with full login rights.

Closing the browser has no affect. User can still access webmail control panel without authentication. Using 2096 (SSL) exhibits the SAME behaviour.

Browser: Safari Version 4.0.3 (5531.9)

cPanel info:
cPanel Version 11.24.5-RELEASE
cPanel Build 38506
Theme x3
Apache version 1.3.37 (Unix)
PHP version 4.4.3
MySQL version 4.1.22-standard
Architecture i686
Operating system Linux

Just to add to the above post: deleting cookies does not affect behaviour.

In Safari: Selecting Safari>Preferences>Security>Show All Cookies>Remove all.

User can still access mail via http://www.domain.com:2095/

It seems this instance of cPanel is also exhibiting the same behaviour for the domain control panel via www.domain.com:2082. I.e., not logging out, and allowing unauthenticated access via the 2082 url.

So that we can more thoroughly inspect the reported issue please submit a ticket; if needed, the link in my forums signature may be used to initiate a ticket submission. When available, please PM me the ticket number.

[Infopro]

A client of mine just informed me that when he logs out from WebMail, then goes back to the same URL, he is logged back in again. I verified this. Others are upset about it as well.

http://forums.cpanel.net/f5/email-no...rly-20428.html

That thread is years old. I don't see anyone upset, more of asking why, there.

You can't really log out of WebMail unless you completely close the browser. This is unacceptable -- proper session management would make solving this trivial. PLEASE fix this in future versions. Most people won't know they have to close the browser, and in many cases of public terminals they apparently cannot close the browser completely.

You don't mention the browser used, how many windows were open, etc, but ending a session by closing the browser is quite normal.

Why do browsers implement Session Merging?
Proper support for Session Merging is important because most web applications are written to expect it. For instance, when a web application opens a popup window, it usually does so with the expectation that the popup window will share cookies with the main window, so that the user will remain logged in and their preferences will remain available, etc. Similarly, when the user uses the Duplicate Tab command, they reasonably expect the new tab to show them the same content as the original tab-- sharing cookies is critical for that scenario to work correctly.

Quoted from this link: Session Cookies, sessionStorage, and IE8

You might like to read the rest of it there.

[MAXp0wr]

I am also having this problem, after logging in to webmail I was unable to log out, at all.
So far only in Safari and Chrome.
Everything seems to work fine in Firefox and Opera.

* Tested on one window with a single tab.
* Tested on both SSL and non-SSL (2095 & 2096).

I was able to go straight back in to webmail after:
- Logging out and seeing logged out message.
- Logging out then closing and re-opening a window.
- Logging out then quitting and then re-launching the application.

I really don't see this as normal behaviour. It's a major problem and my users will go nuts when they realise this problem exists.

[Arvand]

This is an issue that happens in all Safari versions on the new webmail. I've verified this with several different Windows/Mac Safari installations

Login to Webmail. Click on Logout on top right. Choose to log back in on the log out screen. It will log you back in without asking for a password.

We are running the latest RELEASE version. This has been tested on several different servers as well.

[Infopro]

I don't use safari for much other than quick testing at times. The version I had installed was beta 4 up until a few minutes ago. Using that one, I logged into cPanel and then into webmail > RoundCube. After viewing mailbox I clicked logout and then got the do you want to login again, I clicked it and it did ask me for my password as I would expect. I closed the browser and then decided to upgrade it to the latest and try again.

All browsers closed, I open Safari 4.0.4 and type in mydomain.com/cpanel and hit enter. I'm already logged in. No password check, no message about cert, nothing.

On the top right corner of Safari is an icon to some tools. One of those tools is called Reset Safari, it clears everything similar to IE8's Delete Browsing History. I clicked that, then closed Safari then reopened and typed in the domain again as before. This time it asks for my password, as expected.

This is a browser caching issue it seems to me, not a cPanel problem.

[Arvand]

Received the following response from cPanelDon:

Using the provided test account I was able to reproduce the issue in Safari 4.0.4 (6531.21.10) and Google Chrome 4.0.295.0-dev on Mac OS X 10.6.2 Snow Leopard; however, to note, both Safari and Google Chrome use the WebKit engine, unlike Opera and Firefox. In Opera 10.10, Build 6795, I experienced differing, inconclusive results; initially it appeared to exhibit the same behavior but on subsequent attempts it logged-out normally. In Mozilla Firefox 3.6pre I was unable to reproduce the issue.

Researching internally, per case IDs #31553 and #33444, revealed the difficulty stems from browser-specific session handling when using HTTP Authentication. Additional informational reference: TrueHttpLogoutPatch - Trac Hacks - Plugins Macros etc. - Trac

As a resolution I recommend switching to cookie-based log-ins for authentication; this may be configured via WHM Tweak Settings within the Security options. Tweak Settings