New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logging out asynchronously keeps returning users data, until you refresh page #85
Comments
You are probably using the If you do not delete that cookie then the user can still access the API. A page reload will start a new session with a different CSRF-token, but if you stay within your loaded single page application then you still use the old CSRF token that is the one needed to use the Try adding this to your logout function: return /*whatever response you return*/->withCookie(Cookie::forget('laravel_token')) |
@jonasvanderhaegen you can get 401 error without refreshing the page - log in back asynchronously and you have it. @SebastianS90 suggestion works, using Laravel Facade return /*whatever response you return*/->withCookie(cookie()->forget('laravel_token')) |
This is a serious problem. Let's say I have a SPA and I have two tabs opened on the browser. I logout in one of them and step away from the computer. This basically provides full access to anyone who sits next to me and doesn't refresh the other tab. |
I agree. The solution is to delete the cookie on logout. I see two approaches:
|
@SebastianS90 deleting the cookie on one tab, does not solve the issue with it being sent from another already opened tab. One possible solution would be to generate a "session" for the user and when you logout, deleting that session. But that session should be stored on the server and compared at each request. That session should be created at login and destroyed at logout and to work together with the current cookie (which is for guests too). So there should be 3 auth middlewares, web, api and spa. |
@doublebit How does your second tab still work when the cookie is deleted? The requests sent from the second tab after proper logout in the first tab (with deleting that cookie) won't have the token cookie any more and therefore they will not be authenticated. The cookies are per-browser and not per-tab. |
@SebastianS90 How do you delete a cookie in a tab that's already opened? Steps:
At this point, if you switch back to tab B, it still has the cookie. It was deleted only on tab A. The cookie, as you know, is stored on the browser, not on the server, and deleting it in one request, does nothing more than telling that tab of the browser to delete it, but it doesn't affect other tabs already opened. |
I tried it, and it woks for me as expected when using my custom logout controller function: public function logout(Request $request)
{
Auth::logout();
// Delete all session data and get a new
// session id for security
$request->session()->flush();
$request->session()->regenerate();
// Go back to login page
return redirect()->route('login')
// Delete the passport authentication token
->withCookie(Cookie::forget(Passport::cookie()));
} The last line is the most important one. Don't forget to import ( After authentication, the server sends All following requests (in particular the ajax requests to my API) carry the header On logout, the server sends: When I go back to my other tab and issue some ajax requests, then they do not carry the Even if I login again in a different tab, then I cannot use the tab that is still open from the first session. The reason for this is that we again send a Note that cookies are stored in the browser, not in the page or tab. So modifying cookies from one tab also affects your other tabs. Therefore the logout works. On the other hand, the csrf token is stored within the page/tab. You need both in order to be logged in, i.e. a valid The real issue here is that the default implementation does not delete the |
@SebastianS90 Thanks man! You're right, the cookie is not stored in the tab, that's what I was omitting. The default implementation of logout is fine, but the documentation for passport should mention your solution. Maybe you can create a pull request on docs to update this section with your solution. |
I've chosen to post a pull request to handle it out of the box. Lazy developers don't read all documentation and might oversee this tiny but very important detail. And without this precaution it is really easy for an attacker to get back to a working session by using Ctrl+Alt+T or just the browser's back button. Thanks @doublebit for pointing out the potential security issue with this. I hope they accept my PR or something similar to it. |
It's more of a detail than issue maybe but nevertheless I'll just address it here.
(experience with L5.3 & vue/vue-resource/vue-router is good).
In the meanwhile I'll try to figure it out myself. While yes I could refresh the page with javascript or whatever I think this would be a nice detail to not have to refresh page to actually be logged out with one page applications.
The text was updated successfully, but these errors were encountered: