Do the following:

  • login to the site
  • go to the embedded gallery
  • logout
  • go to the embedded gallery again

As the cookie GALLERYSID was not deleted when logging off, the user is still logged in to the gallery.

The cookie should be deleted when logging off from drupal.

Comments

canyonbreeze’s picture

canyonbreeze commented
Priority: Normal » Critical

Same issue. When I log into my Drupal site as administrator then log out, the Gallery2 stays logged in as administrator. Seems like a major security risk.

canyonbreeze’s picture

canyonbreeze commented
Priority: Critical » Normal

I figured out a workaround that fixes this. Posted here for reference.
In Drupal modules/user/user.page.inc

/**
 * Menu callback; logs the current user out, and redirects to the home page.
 */
function user_logout() {
  global $user;

  watchdog('user', 'Session closed for %name.', array('%name' => $user->name));

  // Destroy the current session:
  session_destroy();
  module_invoke_all('user', 'logout', NULL, $user);

  // Load the anonymous user
  $user = drupal_anonymous_user();

  drupal_goto();
}

change drupal_goto(); to drupal_goto('clean_logout.php');

Then create the file clean_logout.php in the root Drupal installion directory containing...

<?php
// call from modules/user/user.pages.inc  function user.logout...
foreach($_COOKIE AS $key => $value)
{
 setcookie($key,$value,1);
 unset($_COOKIE[$key]);
}
$_SESSION = array();
session_destroy();
header('Location:http://example.com');
?>