Not a bug Logging out a regular user on pub/App.php also logs out Admin CP user on admin/App.php

[Jonathan_Bathrough]

Affected version

2.3.6

Hello,

I am logging into my site through the login section ("login" Template, pub/App.php) as a regular user named Average Joe, who has no moderator or administrator permissions.
In another browser tab, I log into the Admin Control Panel (Admin CP) using the Administrator account ("login_form" Template, admin/App.php), which has owner permissions for the entire site.
Then, when I log out the Average Joe user from the site, the system unexpectedly logs out the Administrator user from the Admin CP as well. These two users should be completely separated and operate in different environments (pub and admin) with separate App.php instances.

Why does logging out a regular user from pub/App.php automatically log out the superuser from admin/App.php?
Because of this bug, I cannot conveniently debug or customize the login Template for pub/App.php, since I am constantly logged out of the Admin CP.
This issue seems to involve session handling and separation between the public and admin applications. Any guidance or fixes would be appreciated.

This bug may cause seciruty issues.

Thank you.

 

[ENF]

This bug may cause seciruty issues.

How so? Explain your theory on how this could cause a security issue.

The session is set in your browser by XF. You can't be logged into XF with two different accounts on the same browser session. (regardless if admin level or regular user)

 

[Jonathan_Bathrough]

How so? Explain your theory on how this could cause a security issue.

There should be independent sessions for public users and for admin users. If public sessions affect admin sessions, it means the developer was lazy and did not account for this in the architecture. This approach reflects the overall discipline in software development within the company.

Another red flag indicating a lack of discipline and rigor in development is the naming of two templates: login and login_form. The first is for the public login page, and the second is for the admin login page.

My main work involves developing high-load, mission-critical systems, and I am used to a strict approach to software design. But here, I encounter carelessness.

 

[Jonathan_Bathrough]

You can't be logged into XF with two different accounts

I am able to log in to two different accounts within the same browser: one as a regular user on the forum, and the other as an administrator in the ACP (Admin Control Panel).

 

[ENF]

I am able to log in to two different accounts within the same browser: one as a regular user on the forum, and the other as an administrator in the ACP (Admin Control Panel).

Ah, yes, that's true - I was thinking about two different user sessions on the front end, which you can't do.
One exclusively logged into the ACP and one on the front-end, yes.

I still don't understand why it would be a security issue if you got logged out from the ACP when logging out from the public side.
In my view, that's a safer action that would prevent someone from leaving their ACP session logged in unknowingly. You can log out from the ACP but that doesn't log you out from the public side session. (expected, because that would be really annoying)

 

[Jonathan_Bathrough]

Ah, yes, that's true - I was thinking about two different user sessions on the front end, which you can't do.
One exclusively logged into the ACP and one on the front-end, yes.

Moreover, the passwords of the same user Administrator must necessarily match for logging into the forum and for logging into the Admin CP. If I change the password of the Administrator user on the forum, then the password in the admin panel also changes.
It turns out that the admin panel and the forum are not two different entities where the admin panel manages the forum, but rather one entity with an illusion of separation.

 

[ENF]

Moreover, the passwords of the same user Administrator must necessarily match for logging into the forum and for logging into the Admin CP. If I change the password of the Administrator user on the forum, then the password in the admin panel also changes.
It turns out that the admin panel and the forum are not two different entities where the admin panel manages the forum, but rather one entity with an illusion of separation.

They don't need to be separated, it's the same user data tables. It never has been an illusion.
AFAIK, all other software with a similar layout, works the same way.

The general rule of thumb is that just like you would with a unix root account or windows AD administrator, a powerful system level account is usually not used for daily BAU work. In linux, you assign a wheel/sudo function and in XF, your daily account isn't the the same one that you use for a full Administrator or superuser in this case. From a design perspective, the software lets you choose how to run your own platform. Creating entirely separate entities isn't cost effective and just doesn't make sense.

 

[Jonathan_Bathrough]

They don't need to be separated, it's the same user data tables. It never has been an illusion.

It turns out that if I know the password of a user with moderator administrator rights on the forum, I can log into the admin panel.

 

[ENF]

It turns out that if I know the password of a user with moderator rights on the forum, I can log into the admin panel.

A moderator should have VERY limited rights in the ACP. (if any at all)
If a moderator account has too much access, that's on you as the owner who set those permissions.

 

[Jonathan_Bathrough]

It never has been an illusion.

No, it is indeed an illusion. Because we have two different entry points, two different applications: pub/App.php and admin/App.php.

 

[Paul B]

Moderators do not have access to the ACP.

Only administrators do.

 

[Jonathan_Bathrough]

Anyway, Im wating for a xenForo's developer answer.

 

[ENF]

No, it is indeed an illusion. Because we have two different entry points, two different applications: pub/App.php and admin/App.php.

That doesn't change the fact that the user data comes from the same location.
There's one database, with one user table. There isn't some firewall built into the database that keeps ACP users and public users separate.
It's all done by the permissions set by the owner/operator.

 

[Jonathan_Bathrough]

user data comes from the same location.

And I think this is a flaw in the architecture. Administrators and forum users should be stored in two separate tables. A forum user with the name "Administrator" should be completely independent from an admin panel user with the name "Administrator." Website administration should be separated from the website itself. This is the foundation of security.

 

[Jonathan_Bathrough]

like you would with a unix root account or windows AD administrator, a powerful system level account is usually not used for daily BAU work.

Sure. According to this logic, all administrator accounts should be banned from the forum site.

 

[Jeremy P]

The public and admin sessions are entirely separate architecturally, but we clear most cookies when logging out of the public app, including the admin session cookie. We do this because otherwise many people will inadvertantly leave their admin session active, so it's more of a deliberate cautiousness than unintentional carelessness.

Because of this bug, I cannot conveniently debug or customize the login Template for pub/App.php, since I am constantly logged out of the Admin CP.

As the other situation is much more common, changing the behavior just to accommodate this one is not sensible. You can easily use an incognito window (or your browser's equivalent) if you wish to view the public login page while editing it in a regular window with an active admin session.

 

[Jonathan_Bathrough]

The public and admin sessions are entirely separate architecturally

It appears not to be "entirely separate architecturally" at all:

If I change the password of the Administrator user on the forum, then the password in the admin panel also changes.
It turns out that the admin panel and the forum are not two different entities where the admin panel manages the forum, but rather one entity with an illusion of separation.

If you intend to separate "architecturally" public and admin sessions you should separate user tables.