Closed finke-ba closed 5 years ago
Hi! Is there any chance to get an answer? This issue seems to be important security problem because it allows to use old web session after log out.
I’m planning to investigate this week.
@finke-ba If you'll look at the PR, you can see that I've captured your scenario as a test case. I also came up with a patch. Hopefully, I can finish reviewing and polishing soon.
Hi, @gregturn. Thank you a lot for a such quick response and PR! Waiting for your final implementation.
I love detailed scenarios like this that expose issues.
Even moreso, I love writing automated tests that capture the scenario to avoid regressing in the future!
After logging out, Spring creates a new SESSION cookie, but doesn't delete the current one and we can use previous session even after logging out. Please check comments from this issue - https://github.com/spring-projects/spring-session/issues/1519.
Expected behavior
After logging out current SESSION cookie should be deleted or invalidated.
Actual behavior
After logging out current SESSION still exist and accessible in DB.
Steps to reproduce
Please check this example - https://github.com/finke-ba/webflux-logout-not-delete-session-example. You will find steps to reproduce in readme file.
Reactor Netty version
4.1.39.Final
JVM version (e.g.
java -version
)1.8.0_212, x86_64: "AdoptOpenJDK 8"
OS version (e.g.
uname -a
)Mac OS, Darwin Kernel Version 18.7.0