I have a question about the backoffice cookie. It appears that it remains valid for the backoffice API even when the user signs out of the backoffice. I have searched for related issues or topics, but I could not find one directly.
But, my question is about the following. When a user clicks on sign out from the Backoffice, any subsequent backoffice API call made to Umbraco after the sign out will still work. The user cannot must log in again to use the backoffice, but anyone with the cookie can still use the backoffice API (and any other API provided by installed plugins).
Steps to reproduce:
Install Umbraco 7.10.
Open browser debugger / inspector, open Network tab and hit Persist Logs.
Log in into Umbraco.
Log out of Umbraco.
Look for "GetSections" call in Network log.
Hit right click > Replay XHR (chromium), or hit Edit and Resend (firefox).
When you do this, the backoffice API still response with a 200 and a list of sections for the user to which the cookie belongs. But is that correct? Because the cookie should have been invalidated by Umbraco since the user signed out.
Now, the GetSections API is not that big of a problem, since it does not really expose anything really interesting. But all derivatives of UmbracoAuthorizedJsonController remain also accessible, which are used by plugins and can contain sensitive information which, hence the name, should only be accessible by authorized users. I use those controllers to build a custom section in the Umbraco and use Umbraco not really as a CMS, but more as a host for managing a custom database and system.
Am I doing anything wrong, am I using the wrong base controller for this or is this a bug in the authorization in Umbraco?
I've not been able to reproduce this. I tried it with one of my packages - God Mode - and after I logged out of Umbraco I wasn't able to replay the XHR requests to any controllers, they returned a 401.
I'm using UmbracoAuthorizedJsonController which, as you note, is the correct controller for accessing authenticated content. You can view source code for this on GitHub if you want to check.
NB. I tested in Umbraco 7.9.2 so it's possible this could be a bug introduced in 7.10. If you are certain you can reproduce then I'd log an issue on the Issue Tracker - http://issues.umbraco.org/dashboard
Thanks for your reply. It took a while to find some time to test it again. But I can reproduce the issue reliably now, so I'll create an issue in the issue tracker.
Umbraco backoffice cookie remains valid after signing out.
I have a question about the backoffice cookie. It appears that it remains valid for the backoffice API even when the user signs out of the backoffice. I have searched for related issues or topics, but I could not find one directly.
But, my question is about the following. When a user clicks on sign out from the Backoffice, any subsequent backoffice API call made to Umbraco after the sign out will still work. The user cannot must log in again to use the backoffice, but anyone with the cookie can still use the backoffice API (and any other API provided by installed plugins).
Steps to reproduce:
When you do this, the backoffice API still response with a 200 and a list of sections for the user to which the cookie belongs. But is that correct? Because the cookie should have been invalidated by Umbraco since the user signed out.
Now, the GetSections API is not that big of a problem, since it does not really expose anything really interesting. But all derivatives of
UmbracoAuthorizedJsonControllerremain also accessible, which are used by plugins and can contain sensitive information which, hence the name, should only be accessible by authorized users. I use those controllers to build a custom section in the Umbraco and use Umbraco not really as a CMS, but more as a host for managing a custom database and system.Am I doing anything wrong, am I using the wrong base controller for this or is this a bug in the authorization in Umbraco?
I've not been able to reproduce this. I tried it with one of my packages - God Mode - and after I logged out of Umbraco I wasn't able to replay the XHR requests to any controllers, they returned a 401.
I'm using
UmbracoAuthorizedJsonControllerwhich, as you note, is the correct controller for accessing authenticated content. You can view source code for this on GitHub if you want to check.NB. I tested in Umbraco 7.9.2 so it's possible this could be a bug introduced in 7.10. If you are certain you can reproduce then I'd log an issue on the Issue Tracker - http://issues.umbraco.org/dashboard
Thanks for your reply. It took a while to find some time to test it again. But I can reproduce the issue reliably now, so I'll create an issue in the issue tracker.
is working on a reply...