Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete Session Invalidation on Logout #6975

Open
dkatzz opened this issue Mar 20, 2024 · 1 comment
Open

Incomplete Session Invalidation on Logout #6975

dkatzz opened this issue Mar 20, 2024 · 1 comment
Assignees
@jeffpw-goog
Labels
bug Something isn't working security

Comments

@dkatzz
Copy link
Contributor

dkatzz commented Mar 20, 2024

Describe the bug
Session cookies are not being destroyed after a user logs out. This means that compromised session data could be misused, undermining the expected security benefits of the logout process.

This may be part of the work the team is already doing, but wanted to call out specifically

Recommendations

  • The server must explicitly invalidate the associated session data and session cookie by deleting the session data from the server-side store and marking the cookie as expired
  • Upon logout, create a completely new session ID for the user. This ensures that even if the old session cookie exists, it's no longer tied to valid session data.
@dkatzz dkatzz added bug Something isn't working needs-triage bugs that have not yet been triaged labels Mar 20, 2024
@nb1701 nb1701 added security and removed needs-triage bugs that have not yet been triaged labels Apr 9, 2024
@shreyachatterjee00 shreyachatterjee00 mentioned this issue May 20, 2024
Open
@shreyachatterjee00 shreyachatterjee00 assigned nb1701 and unassigned nb1701 Jun 3, 2024
@dkatzz
Copy link
Contributor Author

dkatzz commented Jun 24, 2024
edited
Loading

Screenshot 2024-06-24 at 7 08 01 PM If you log in and then look at the cookies in the network tab, when you log out, the session cookie doesn't get wiped

I think you can then log back in using the cookies (and without the login info), but I'm not exactly sure how

@jeffpw-goog jeffpw-goog self-assigned this Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeffpw-goog jeffpw-goog

Labels
bug Something isn't working security
Projects
CiviForm Project Roadmap & Tracker
Status: Ready for Development
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dkatzz @nb1701 @jeffpw-goog