summaryrefslogtreecommitdiff
path: root/include/login_routes.hpp
diff options
context:
space:
mode:
authorGunnar Mills <gmills@us.ibm.com>2022-06-07 00:22:37 +0300
committerEd Tanous <ed@tanous.net>2022-06-11 01:14:27 +0300
commit7b7f04104bb3d4e8dd20fa0e338a3e7a5ae3d9fa (patch)
tree2c4f9d77bb108440b96dbabe54a477fe12fe1d24 /include/login_routes.hpp
parent70fae94d18ca81507b6f09d575a28f68248e8721 (diff)
downloadbmcweb-7b7f04104bb3d4e8dd20fa0e338a3e7a5ae3d9fa.tar.xz
On logout set Session cookie with expired date
The Session cookie is an HttpOnly cookie. HttpOnly means the cookie cannot be accessed through client side script because of this the GUI can not delete this cookie on log out. Recommendation online was setting this cookie to an expired date. From https://tools.ietf.org/search/rfc6265 "Finally, to remove a cookie, the server returns a Set-Cookie header with an expiration date in the past. The server will be successful in removing the cookie only if the Path and the Domain attribute in the Set-Cookie header match the values used when the cookie was created." For more information see https://stackoverflow.com/questions/5285940/correct-way-to-delete-cookies-server-side Modern browsers delete expired cookies although based on reading it might not be right away but on the next request from that domain or when the browser is cleaning up cookies. When I tested the cookie is deleted right away. Also set the SESSION to an empty string. Discussed in discord here: https://discord.com/channels/775381525260664832/855566794994221117/982351098998321163 Webui-vue and phosphor-webui both use this /logout route: https://github.com/openbmc/webui-vue/blob/a5fefd0ad25753e5f7da03d77dfe7fe10255ebb6/src/store/modules/Authentication/AuthenticanStore.js#L50 https://github.com/openbmc/phosphor-webui/blob/339db9a4c8610c5ecb92993c0bbc2219933bc858/app/common/services/userModel.js#L46 It seemed unnecessary to add it to the SessionCollection Post. Tested: No longer have the cookie after log out on webui-vue. Tested on Firefox and Chrome. Signed-off-by: Gunnar Mills <gmills@us.ibm.com> Change-Id: Ic12b6f628293a80c93ffbbe1bf06c9b2d6a53af7
Diffstat (limited to 'include/login_routes.hpp')
-rw-r--r--include/login_routes.hpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/include/login_routes.hpp b/include/login_routes.hpp
index 1a35adfd75..fde4b8f645 100644
--- a/include/login_routes.hpp
+++ b/include/login_routes.hpp
@@ -240,6 +240,11 @@ inline void requestRoutes(App& app)
asyncResp->res.jsonValue["message"] = "200 OK";
asyncResp->res.jsonValue["status"] = "ok";
+ asyncResp->res.addHeader("Set-Cookie",
+ "SESSION="
+ "; SameSite=Strict; Secure; HttpOnly; "
+ "expires=Thu, 01 Jan 1970 00:00:00 GMT");
+
persistent_data::SessionStore::getInstance().removeSession(session);
}
});