box-android-sdk icon indicating copy to clipboard operation
box-android-sdk copied to clipboard

Published 20 hours ago verified publisher icon box

Android Box SSO not logging out

Open raveeshlawrance opened this issue 6 years ago • 5 comments

Hi Team, Recently we found an issue that, BoxSession.logout() api is not clearing the SSO cache. User can able to access the box files using SSO even though he logged out from Box. Could you let us know is there any api for clearing chaches?

  1. Login Box using SSO
  2. Enter email -> Submit -> Enter Username/Password -> Authentication success -> Able to access files
  3. Logout Box using BoxSession.logout() -> Login again using SSO -> Enter Email -> Submit -> Entering into Box Files activity without asking the user credentials.

raveeshlawrance avatar Jul 08 '18 17:07 raveeshlawrance

The logout will only work on currently logged in accounts. However the webview will cache sso credentials for some time by default. The sdk should be clearing on disk cache, but the OS could keep something in memory. Does killing the app and restarting not log you in?

On Sun, Jul 8, 2018, 10:20 AM BoyHasNnoName [email protected] wrote:

Hi Team, Recently we found an issue that, BoxSession.logout() api is not clearing the SSO cache. User can able to access the box files using SSO even though he logged out from Box. Could you let us know your comments?

  1. Login Box using SSO
  2. Enter email -> Submit -> Enter Username/Password -> Authentication success -> Able to access files
  3. Logout Box using BoxSession.logout() -> Login again using SSO -> Enter Email -> Submit -> Entering into Box Files activity without asking the user credentials.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/box/box-android-sdk/issues/379, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmHYkhv7S3XgAcCeuGymoHiPWbu7RKaks5uEj9vgaJpZM4VGzPV .

doncung avatar Jul 08 '18 18:07 doncung

Killing the app and restarting works fine as expected but when i logout and login again SSO authentication is not asking for credentials. is there any api for android to clear the whole cache from device?

raveeshlawrance avatar Jul 09 '18 03:07 raveeshlawrance

You can try clearing cookies like this, there are side effects if you have other webviews.

CookieSyncManager.createInstance(this); CookieManager cookieManager = CookieManager.getInstance(); cookieManager.removeAllCookies(ValueCallback);

On Sun, Jul 8, 2018, 8:06 PM BoyHasNnoName [email protected] wrote:

Killing the app and restarting works fine as expected but when i logout and login again SSO authentication is not asking for credentials. is there any api for android to clear the whole cache from device?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/box/box-android-sdk/issues/379#issuecomment-403347157, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmHYtGt7Ncmz6Hd-Gee0y4xNgZYrk2oks5uEsiugaJpZM4VGzPV .

doncung avatar Jul 09 '18 05:07 doncung

Clearing cookies is not helping out. Still user can able to login without authentication after logout and clearing cookies.

raveeshlawrance avatar Jul 09 '18 05:07 raveeshlawrance

@boyhasnoname Are you still running into this issue?

PreciselyAlyss avatar May 21 '19 15:05 PreciselyAlyss