YonLiud
commented
1 month ago I believe we can detach the frontend from the backend fully, therefore when the user enters `/instance, they won't be able to manipulate the backend at all.
Another method is to remove all cookies when user's session ends
s1nisteR
The session persists while the user stays on the
/instancepage.To replicate the issue, just stay on that page and keep refreshing. Even when instance shuts down the session cookie persists(even with time limits applied).
But the issue is fixed when use is redirected to homepage and then comes back to launch an instance.
My guess is that the frontend javascript should handle the redirect. And even if there are no redirects, the user can keep refreshing the page, it'll only show the iframe for an instance that's turned off. Also if the user tried to modify the frontend js to prevent redirection of homepage, it'll be bad for him because while the session cookie persists the user cannot launch a new instance.
Can this be somehow abused though?