no logout

[loicjaouen]

When salsah 1.5 logs out:

• it sends a request HTTP DELETE request on route /v1/session
• in Knora's response, there is a header Set-Cookie: KnoraAuthentication=deleted; Expires=Thu, 01 Jan 1970 00:00:00 GMT
• still if we send another request (like a HTTP GET /v1/vocabularies) the header with Cookie: KnoraAuthentication=<actual previous session value> is sent back

The browser should have deleted it... it doesn't.

That's on firefox, chrome and safari, I didn't test others.

[subotic]

AFAIK the session gets deleted on the webapi server, so when the client sends the "old" session id, he will not be authenticated. Why the cookie is not deleted on the client I don't know. Maybe the specs have changed. Anyway, this is old school stuff and shouldn't be used today anymore.

Also, sessions are only used in v1 authentication. In v2 authentication, tokens are used, which Salsah2 is using.

[loicjaouen]

the session gets deleted on the webapi server, so when the client sends the "old" session id, he will not be authenticated

Exactly, that's how the problem showed up, users logging out and getting unauthorized access which they did not understand as they were just logging out to demonstrate the platform to external people.

Anyway, this is old school stuff and shouldn't be used today anymore.

the whole salsah 1.5 is old school and while it shouldn't be used anymore, it's the only production front-end we currently have to offer.

[loicjaouen]

Why the cookie is not deleted on the client I don't know.

neither do I 😢

[loicjaouen]

The procedure seems completely legitimate.

What should be tested is:

• [ ] add path in the set-cookie header
• [ ] test without the browser "restore session" option (suggested here)