jpa-invoicer icon indicating copy to clipboard operation
jpa-invoicer copied to clipboard

Published 20 hours ago verified publisher icon mstahv

Logout doesn't work

Open madukan opened this issue 1 year ago • 4 comments

I could click logout and witness I have been logged out, but then someone else come come in and simply click login again, and they are in, with my credentials! No authentications required at all! That is a serious security flaw.

madukan avatar Aug 16 '23 02:08 madukan

What?! Is there some bean scope issue in the example 🤔

mstahv avatar Aug 28 '23 07:08 mstahv

Did you configure the Google OAuth to the example or something else?

mstahv avatar Aug 28 '23 07:08 mstahv

Probably. I couldn't find the code I was working with. It's been a while. Can try sometime when I get more time. Basically I recall -- when logout, the view shows I have been logged out, the session seem to change too which suggest that the logout actually works. However in the same browser if you navigate back to the URL, I get logged back in. That was the issue I experienced.

madukan avatar Aug 28 '23 23:08 madukan

IIRC the logout in this example just trashes the session bean. So if one goes via some redirects through google oidc server, the next login can happen "unexpectedly", if google login is still alive.

mstahv avatar Aug 29 '23 05:08 mstahv