If you've chosen to "Stay signed in" when first logging in to RStudio Server, you can never sign out again after the first time you close all browsers. (If you sign out before exiting the browser app, signout will be successful.)
Make sure you're logged out of RStudio
Log in to RStudio with "Stay signed in" checked
Close all browser windows
Open a browser window and visit RStudio. You will be automatically logged in.
--> 5a) Click on the signout icon in the upper right hand corner
--> 5b) Click on the "R" logo on the upper right to get to the home page, then click on the signout icon in the upper right hand corner
This takes you to the page "auth-sign-out" with the error
Missing or incorrect token.
The only way to sign out at this point is to clear cookies.
RSP 1.1.374 on Ubuntu (Xenial), CentOS, and openSUSE.
The text was updated successfully, but these errors were encountered:
I'm surprised no one's reported this since the issue also exists in 1.0 (and has ever since we added CSRF protection). Fix is pretty simple, and presuming it performs well it's a candidate for backporting.
Fixes an issue in which opening a new browser window can cause you to
lose your CSRF token cookie (and therefore lose access to CRSF-guarded
pages such as signout), since this cookie had no expiration and was
therefore treated as a session cookie.