Chapter 5.1: Broken deauthentication - code

README.md

@@ -1,10 +1,19 @@
 # Secure Coding with Python.
 
-## Chapter 4: Broken Authentication
-### Fix
-In order to avoid giving to much information, we need to use a more generic error message that doesn't give away specifics of the users.
+## Chapter 5: Broken De-Authentication
+### Requirement
+Now that users are allowed to login, we need to let them logout.
 
-**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/5.1-broken-deauthentication/code)**
+### Development
+We set the `logged_in` session value to `False` and redirect the user to the login page.
+
+### Vulnerability
+Since flask by default uses cookie store for the sessions, we rely on the information stored in it as the ultimate
+source of truth. A source of truth that the user has control over. Because of this, if an attacker get's his/her
+hands on a session cookie, they could use them, even after the user logged out to get into the user's account.
+
+
+**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/5.1-broken-deauthentication/test)**
 
 ## Index
 ### 1. Vulnerable Components

marketplace/templates/users/welcome.html

@@ -5,5 +5,6 @@ <h1>{% block title %}Welcome{% endblock %}</h1>
 {% endblock %}
 
 {% block content %}
+<a href="/user/logout">Logout</a><br/>
 Welcome to the marketplace!
 {% endblock %}

marketplace/users.py

@@ -40,7 +40,13 @@ def login():
     return render_template('users/login.html', error=error)
 
 
+@bp.route('/logout', methods=('GET',))
+def logout():
+    session['logged_in'] = False
+    return redirect(url_for('users.login'))
+
+
 @bp.route('/welcome', methods=('GET',))
 @auth
-def welcome():
+def welcome(user):
     return render_template('users/welcome.html')