search

heroku / identity

[DEPRECATED] Login and OAuth management service for Heroku
https://id.heroku.com/
MIT License
246 stars 20 forks source link

Flush previous session on login #214

Closed dmcinnes closed 8 years ago

dmcinnes commented 8 years ago

This updates the login endpoint to force any previous sessions attached to the browser to explicitly log out before the new user logs in.

Also does the same for login-external requests.

Ready for review @heroku/api

dmcinnes commented 8 years ago

Pen Test: User Session Cross-over

elight commented 8 years ago

LGTM

dmcinnes commented 8 years ago

@elight thanks!

paulelliott commented 8 years ago

@dmcinnes was this change driven by the security team? I'd be interested to know the history.

dmcinnes commented 8 years ago

@paulelliott yes it was, as a result of pen testing: https://trello.com/c/EPEWhrbr/62-2015-pen-test-user-session-cross-over-api