Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential for session leakage #49

Open
Alacho2 opened this issue Apr 25, 2020 · 1 comment
Open

Potential for session leakage #49

Alacho2 opened this issue Apr 25, 2020 · 1 comment

Comments

@Alacho2
Copy link

Alacho2 commented Apr 25, 2020

With the current implementation of the Local Strategy from Passport, there is a potential for the session leaking into new requests after the user refreshes the page.

It is a need for req.session.destroy()-call after req.logout() to remove the session from new requests coming in.

web_development_and_api_design/les08/authentication/src/server/routes.js

Line 46 in 1b88ebe

req.logout();

@Alacho2 Alacho2 changed the title Lack of correct session destroy Potential for session leakage Apr 25, 2020
@arcuri82
Copy link
Owner

Hi,
thanks! it looks like indeed "logout" just remove the user from the session, but not destroy the session itself. For a REST API (which are supposed to be stateless), this should not be a major issue (unless you keep state linked to the session)... but can never be sure when it comes to security!
I am busy these days, so don't have much time to check it out / investigate it properly. Anyway, it will have no impact on the exam

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arcuri82 @Alacho2