Project

General

Profile

Actions
Copy link

Bug #16132

closed

Logout does not work if csrf token has expired.

Added by John Pettitt 8 days ago. Updated 8 days ago.

Status:
Rejected
Priority:
Low
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
24.11
Affected Architecture:
All

Description

If the screen has been logged in for a long time (default auto logout time changed to greater than xsfr lifetime) clicking the logout on the home screen fails with an xsrf expired error leaving the user logged in.

Expected behavior - user is logged out.

Maybe either ...
a) increase the xsrf token lifetime to match the default auto logout
or b) ignore xsrf on logout and just log the user out (slight risk of denial of service by cross site logout)

Actions
Copy link
 #1

Updated by Jim Pingle 8 days ago

  • Status changed from New to Rejected

Allowing requests to succeed (even logout requests) with invalid CSRF validation is not an option.

There is already an issue about the CSRF lifetime vs session lifetime (but not all details are public): #13765

The user is given an option to re-submit a request when they hit this condition anyhow, which they are free to do if they want to continue.

Actions
Copy link

Also available in: Atom PDF