Can this be resolved. This is whats happening

user A loggen in through fbconnect -> log out of drupal -> user B log back in through fb connect and is not prompted for auth, user B logs right into user A's account! This would be a security issue

Comments

gregarios’s picture

gregarios commented

... is this happening on the same computer, or does this happen if User A and User B are on different computers?

amishra’s picture

amishra commented

On the same computer, on the same browser. Flushing drupal and/or browser cache has no effect.

gregarios’s picture

gregarios commented
Priority: Critical » Normal
Status: Active » Closed (works as designed)

This is not a security issue, nor is it a bug... this is your computer remembering the password. They aren't stored in your browser cache. The purpose of this module is to do exactly what you are calling an 'issue.'

amishra’s picture

amishra commented

well correct me if i am wrong, but it doesnt store pwds. I can ..

login to fb as user A
logout
"try to log back in and I am prompted again for credentials"
this time i can log in as user a or userb

I think being "not" asked for credentials after you have "logged out "when you have not chosen to remember pwds is a security issue. no? if this is the case then imagine a family using the same machine, everyone will be logging into the same account, regardless if they want to or not, the module does not allow to login as another fb user once a user has logged in using fbcoonect.

WildBill’s picture

WildBill commented

Yes, I also found the same as amishra, and found it quite worrying. When you click "Log Out" and the message says "Also logging you out of Facebook", sometimes it doesn't really log you out of FB. Thus, the next person using that computer would click the "Connect with Facebook" button and immediately be logged into the previous person's account, without auth.

Amishra, please correct me if that's not the same issue you're experiencing...