Actions
Improvements #13498
closedAlso change session ID on logout
Start date:
02/06/2025
Due date:
% Done:
0%
Estimated time:
Description
While there is no vulnerability to resume a session that was previously logged out, due to how login state is managed. It seems clean to also change the session ID.
This is what OWASP recommends.
The Auth::Login::logout() will change the state of the Login object. This Login is unique per session, and thus identifies the session as being logged out. Any request that would then access information that ought to be guarded can recognize the state, and not allow access to controlled data.
Updated by Romain Mardulyn 12 months ago
- Status changed from New to InProgress
- Assignee set to Romain Mardulyn
Updated by Romain Mardulyn 12 months ago
- Status changed from InProgress to Review
- Assignee deleted (
Romain Mardulyn)
Updated by Matthias Van Ceulebroeck 8 months ago
- Target version changed from 4.12.0 to 4.12.3
Updated by Matthias Van Ceulebroeck 29 days ago
- Assignee set to Matthias Van Ceulebroeck
Updated by Romain Mardulyn 15 days ago
- Target version changed from 4.12.3 to 4.12.4
Updated by Romain Mardulyn 9 days ago
- Status changed from Review to Implemented @Emweb
- Assignee changed from Matthias Van Ceulebroeck to Romain Mardulyn
Updated by Romain Mardulyn 2 days ago
- Status changed from Implemented @Emweb to Closed
- Private changed from Yes to No
Actions