Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session and CSRF cookie not being deleted when logging out #551

Closed
Toflar opened this issue Jul 4, 2019 · 5 comments

Comments

@Toflar
Copy link
Member

commented Jul 4, 2019

Affected version(s)

4.8

Description

When I log out the back end, I'd expect the cookies SESSIONID and csrf_https-contao_csrf_token cookies to be deleted but they remain valid.

How to reproduce

Log in and log back out 馃槃

@Toflar Toflar added the defect label Jul 4, 2019

@Toflar Toflar added this to the 4.8 milestone Jul 4, 2019

@leofeyer

This comment has been minimized.

Copy link
Member

commented Jul 4, 2019

Isn't this because the session is only being regenerated and not terminated? And the CSRF cookie is probably there for the login form.

@Toflar

This comment has been minimized.

Copy link
Member Author

commented Jul 4, 2019

CSRF: No it's there because there is another cookie = probably personal information = needs protection.

But the session cookie should be killed if log myself out.

@leofeyer

This comment has been minimized.

Copy link
Member

commented Jul 4, 2019

Agreed.

@leofeyer leofeyer changed the title [4.8] Session and CSRF cookie not being deleted when logging out Session and CSRF cookie not being deleted when logging out Jul 4, 2019

@Toflar

This comment has been minimized.

Copy link
Member Author

commented Jul 9, 2019

It's pretty much super complex 馃檲 @aschempp and I worked on a possible solution, let's see what the Symfony folks think about it: symfony/symfony#32455

@leofeyer

This comment has been minimized.

Copy link
Member

commented Aug 12, 2019

symfony/symfony#32455 has been merged 馃帀

@leofeyer leofeyer closed this Aug 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can鈥檛 perform that action at this time.