Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't sign out from RStudio Server if "Stay signed in" is checked when first logging in #1538

Closed
jmcphers opened this issue Oct 2, 2017 · 4 comments
Assignees
Milestone

Comments

@jmcphers
Copy link
Member

@jmcphers jmcphers commented Oct 2, 2017

If you've chosen to "Stay signed in" when first logging in to RStudio Server, you can never sign out again after the first time you close all browsers. (If you sign out before exiting the browser app, signout will be successful.)

To reproduce:

  1. Make sure you're logged out of RStudio
  2. Log in to RStudio with "Stay signed in" checked
  3. Close all browser windows
  4. Open a browser window and visit RStudio. You will be automatically logged in.
    --> 5a) Click on the signout icon in the upper right hand corner
    or
    --> 5b) Click on the "R" logo on the upper right to get to the home page, then click on the signout icon in the upper right hand corner

This takes you to the page "auth-sign-out" with the error
Missing or incorrect token.

The only way to sign out at this point is to clear cookies.

RSP 1.1.374 on Ubuntu (Xenial), CentOS, and openSUSE.

@jmcphers jmcphers self-assigned this Oct 2, 2017
@jmcphers jmcphers changed the title Can't sign out from RSP if "Stay signed in" is checked when first logging in Can't sign out from RStudio Server if "Stay signed in" is checked when first logging in Oct 2, 2017
@ronblum
Copy link
Contributor

@ronblum ronblum commented Oct 4, 2017

Another method for signing out—in addition to clearing out cookies—is to point the browser at the “auth-sign-in” page: <RStudio_Server_URI:port>/auth-sign-in

@jmcphers
Copy link
Member Author

@jmcphers jmcphers commented Oct 11, 2017

I'm surprised no one's reported this since the issue also exists in 1.0 (and has ever since we added CSRF protection). Fix is pretty simple, and presuming it performs well it's a candidate for backporting.

@dfalty
Copy link

@dfalty dfalty commented Nov 7, 2017

Verified fixed 1.2.152-3.

jmcphers added a commit that referenced this issue Nov 16, 2017
Fixes an issue in which opening a new browser window can cause you to
lose your CSRF token cookie (and therefore lose access to CRSF-guarded
pages such as signout), since this cookie had no expiration and was
therefore treated as a session cookie.
@jmcphers
Copy link
Member Author

@jmcphers jmcphers commented Nov 16, 2017

Backported to 1.1 patch here: b125809

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants