DWR Session ID is not changing after logging out from Application

directwebremoting / dwr

Direct Web Remoting - Easy Ajax for Java

http://directwebremoting.org

Apache License 2.0

92 stars 61 forks source link

DWR Session ID is not changing after logging out from Application #40

Open sam2498 opened 2 years ago

sam2498 commented 2 years ago

Issue : DWRsessionID is not changing when we logging out from application and then login from the same browser. This improves the chance for CSRF attack . The issue is happening in same browser window when we logout and then login , the application jsessionid is changing .

DWR Version - 3.0.2-release

ttaruffi commented 2 years ago

When you perform the logout, you could change the DWRSESSIONID cookie with maxAge = 0.