New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session change doesn't remove old session #116
Comments
Hi! Is there any chance to get an answer? This issue seems to be important security problem because it allows to use old web session after log out. |
I’m planning to investigate this week. |
When a session is made invalid and changed to a new one, the old one must be deleted from MongoDB at the next save(). Resolves #116.
@finke-ba If you'll look at the PR, you can see that I've captured your scenario as a test case. I also came up with a patch. Hopefully, I can finish reviewing and polishing soon. |
Hi, @gregturn. Thank you a lot for a such quick response and PR! |
I love detailed scenarios like this that expose issues. Even moreso, I love writing automated tests that capture the scenario to avoid regressing in the future! |
After logging out, Spring creates a new SESSION cookie, but doesn't delete the current one and we can use previous session even after logging out.
Please check comments from this issue - spring-projects/spring-session#1519.
Expected behavior
After logging out current SESSION cookie should be deleted or invalidated.
Actual behavior
After logging out current SESSION still exist and accessible in DB.
Steps to reproduce
Please check this example - https://github.com/finke-ba/webflux-logout-not-delete-session-example. You will find steps to reproduce in readme file.
Reactor Netty version
4.1.39.Final
JVM version (e.g.
java -version
)1.8.0_212, x86_64: "AdoptOpenJDK 8"
OS version (e.g.
uname -a
)Mac OS, Darwin Kernel Version 18.7.0
The text was updated successfully, but these errors were encountered: