web_development_and_api_design icon indicating copy to clipboard operation
web_development_and_api_design copied to clipboard
verified publisher icon arcuri82

Potential for session leakage

Open Alacho2 opened this issue 5 years ago • 1 comments

With the current implementation of the Local Strategy from Passport, there is a potential for the session leaking into new requests after the user refreshes the page.

It is a need for req.session.destroy()-call after req.logout() to remove the session from new requests coming in.

https://github.com/arcuri82/web_development_and_api_design/blob/1b88ebe7ae4e2bcdb99fd2d2289ebd63dfb44bc4/les08/authentication/src/server/routes.js#L46

Alacho2 avatar Apr 25 '20 18:04 Alacho2

Hi, thanks! it looks like indeed "logout" just remove the user from the session, but not destroy the session itself. For a REST API (which are supposed to be stateless), this should not be a major issue (unless you keep state linked to the session)... but can never be sure when it comes to security!
I am busy these days, so don't have much time to check it out / investigate it properly. Anyway, it will have no impact on the exam

arcuri82 avatar Apr 26 '20 13:04 arcuri82