This repository was archived by the owner on Apr 4, 2025. It is now read-only.
Session change doesn't remove old session #116
Milestone
Comments
|
Hi! Is there any chance to get an answer? This issue seems to be important security problem because it allows to use old web session after log out. |
|
I’m planning to investigate this week. |
gregturn
added a commit
that referenced
this issue
Oct 9, 2019
When a session is made invalid and changed to a new one, the old one must be deleted from MongoDB at the next save(). Resolves #116.
|
@finke-ba If you'll look at the PR, you can see that I've captured your scenario as a test case. I also came up with a patch. Hopefully, I can finish reviewing and polishing soon. |
|
Hi, @gregturn. Thank you a lot for a such quick response and PR! |
|
I love detailed scenarios like this that expose issues. Even moreso, I love writing automated tests that capture the scenario to avoid regressing in the future! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
After logging out, Spring creates a new SESSION cookie, but doesn't delete the current one and we can use previous session even after logging out.
Please check comments from this issue - spring-projects/spring-session#1519.
Expected behavior
After logging out current SESSION cookie should be deleted or invalidated.
Actual behavior
After logging out current SESSION still exist and accessible in DB.
Steps to reproduce
Please check this example - https://github.com/finke-ba/webflux-logout-not-delete-session-example. You will find steps to reproduce in readme file.
Reactor Netty version
4.1.39.Final
JVM version (e.g.
java -version)1.8.0_212, x86_64: "AdoptOpenJDK 8"
OS version (e.g.
uname -a)Mac OS, Darwin Kernel Version 18.7.0
The text was updated successfully, but these errors were encountered: