You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Session cookies are not being destroyed after a user logs out. This means that compromised session data could be misused, undermining the expected security benefits of the logout process.
This may be part of the work the team is already doing, but wanted to call out specifically
Recommendations
The server must explicitly invalidate the associated session data and session cookie by deleting the session data from the server-side store and marking the cookie as expired
Upon logout, create a completely new session ID for the user. This ensures that even if the old session cookie exists, it's no longer tied to valid session data.
The text was updated successfully, but these errors were encountered:
Describe the bug
Session cookies are not being destroyed after a user logs out. This means that compromised session data could be misused, undermining the expected security benefits of the logout process.
This may be part of the work the team is already doing, but wanted to call out specifically
Recommendations
The text was updated successfully, but these errors were encountered: