Our volunteers' time is limited, so please ask usage questions on
StackOverflow.
[x] This is not a security issue.
Do not disclose security issues in public. See our contributing
guide
for instructions.
[x] This bug is reproducible with a clean install of authlogic
[x] I am committed to fixing this in a reasonable amount of time, and
responding promptly to feedback.
Expected Behavior
With same_site "None" and secure = true, when you are logged in from inside an iframe with remember_me: true and you try to logout by destroying the session with user_session.destroy, it should log the user out and delete the user_credentials cookie.
Actual Behavior
The above scenario doesn't work for Chromium based browsers. The user_credentials is not deleted. Tested in Chrome and MS edge (from iframes inside Ms Teams and Outlook). It works fine in Firefox. And no this is not because of ssl issue like in #719. I am running ngrok with https for local development and this occurs in production as well.
Note: To be clear, logging out from the site itself works fine on Chrome and MS-edge. But when the site is running inside an iframe, then the expected behaviour is not met.
Google chrome version: 91.0.4472.77 (Official Build) (64-bit)
MS-edge version: 90.0.818.66
Expected Behavior
With
same_site "None"
andsecure = true
, when you are logged in from inside an iframe withremember_me: true
and you try to logout by destroying the session withuser_session.destroy
, it should log the user out and delete theuser_credentials
cookie.Actual Behavior
The above scenario doesn't work for Chromium based browsers. The
user_credentials
is not deleted. Tested in Chrome and MS edge (from iframes inside Ms Teams and Outlook). It works fine in Firefox. And no this is not because of ssl issue like in #719. I am running ngrok with https for local development and this occurs in production as well.Note: To be clear, logging out from the site itself works fine on Chrome and MS-edge. But when the site is running inside an iframe, then the expected behaviour is not met.
Google chrome version: 91.0.4472.77 (Official Build) (64-bit) MS-edge version: 90.0.818.66