Actions
Bug #16132
closed
Logout does not work if csrf token has expired.
Status:
Rejected
Priority:
Low
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Release Notes:
Default
Affected Plus Version:
24.11
Affected Architecture:
All
Description
If the screen has been logged in for a long time (default auto logout time changed to greater than xsfr lifetime) clicking the logout on the home screen fails with an xsrf expired error leaving the user logged in.
Expected behavior - user is logged out.
Maybe either ...
a) increase the xsrf token lifetime to match the default auto logout
or b) ignore xsrf on logout and just log the user out (slight risk of denial of service by cross site logout)
Updated by
Actions