Bug: Iron Session Cookie not destroyed on second logout attempt #5
Labels
bug
Something isn't working
good first issue
Good for newcomers
help wanted
Extra attention is needed
Comments
kamescg
added
bug
kamescg
changed the title
|
Fixed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The SIWE flow uses
iron-sessionto create a session using an encrypted cookie.Normally we want to create this with
httpOnlyset too true.Right now we are manually overriding default setting:
https://github.com/turbo-eth/template-web3-app/blob/main/lib/config.ts#L27
Why?
A bug is present causing the cookie not be removed upon the second logout request. I don't know why.
Instead the cookie is accessed from the browser/client and is destroyed manually, if the API
/account/logoutrequest fails. This is NOT SECURE and the bug needs to be fixed before a production application can use the boilerplate.The text was updated successfully, but these errors were encountered: