Shibboleth sessions are restored on next login after logging out #8475
Labels
authentication: Shibboleth
Related to authentication via Shibboleth
bug
help wanted
Needs a volunteer to claim to move forward
high priority
Describe the bug
Impossible to log in via username/password after logging out of a Shibboleth session
_shibsession_*
cookie remains even after logging inTo Reproduce
Steps to reproduce the behavior:
_shibsession_*
cookie in your browser's dev tools_shibsession_*
cookie remainsExpected behavior
Shibboleth sessions should not bleed over into the next "password session"
Preliminary investigation
Confirmed that this issue cannot be addressed from the frontend, as the
_shibsession_*
cookie isHttpOnly
. We may be able to solve this by explicitly ignoring the cookie in REST if a login attempt is being made with username/password.Related work
Discovered while working on DSpace/dspace-angular#1805
The text was updated successfully, but these errors were encountered: