Actions
Bug #13481
closedRemove client-side deleted cookies from persisted storage
Start date:
02/04/2025
Due date:
% Done:
100%
Estimated time:
Description
Currently, when a user logs out of the application, with any functionality that call logout(), this will:
- mark the user as being logged out
- remove the login cookie, if this mechanism is enabled (which it is by default)
This does NOT yet clear the cookie from the server's database. This can lead to a flaw where the user:
- logs in with "Remember me" selected
- opens their console, and copies the cookie's name and value
- logs out (and the cookie is removed from their browser)
- creates a new cookie, with the copied name and value
- refreshes the page
After all this, the result will be that they are now logged in again, due to the cookie being detected on the server side, since it was not deleted from its persisted storage.
This should be the case.
Updated by Matthias Van Ceulebroeck 24 days ago
- Status changed from InProgress to Review
- Assignee deleted (
Matthias Van Ceulebroeck)
Updated by Matthias Van Ceulebroeck 17 days ago
- Status changed from Review to Implemented @Emweb
- Assignee changed from Romain Mardulyn to Matthias Van Ceulebroeck
- % Done changed from 0 to 100
Updated by Matthias Van Ceulebroeck 9 days ago
- Status changed from Implemented @Emweb to Implemented @Test
Updated by Matthias Van Ceulebroeck 9 days ago
- Status changed from Implemented @Test to Closed
Actions