diff options
| author | Gunnar Mills <gmills@us.ibm.com> | 2022-06-07 00:22:37 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2022-06-11 01:14:27 +0300 |
| commit | 7b7f04104bb3d4e8dd20fa0e338a3e7a5ae3d9fa (patch) | |
| tree | 2c4f9d77bb108440b96dbabe54a477fe12fe1d24 /include/login_routes.hpp | |
| parent | 70fae94d18ca81507b6f09d575a28f68248e8721 (diff) | |
| download | bmcweb-7b7f04104bb3d4e8dd20fa0e338a3e7a5ae3d9fa.tar.xz | |
On logout set Session cookie with expired date
The Session cookie is an HttpOnly cookie.
HttpOnly means the cookie cannot be accessed through client side script
because of this the GUI can not delete this cookie on log out.
Recommendation online was setting this cookie to an expired date.
From https://tools.ietf.org/search/rfc6265
"Finally, to remove a cookie, the server returns a Set-Cookie header
with an expiration date in the past. The server will be successful in
removing the cookie only if the Path and the Domain attribute in the
Set-Cookie header match the values used when the cookie was created."
For more information see
https://stackoverflow.com/questions/5285940/correct-way-to-delete-cookies-server-side
Modern browsers delete expired cookies although based on reading it
might not be right away but on the next request from that domain or
when the browser is cleaning up cookies.
When I tested the cookie is deleted right away.
Also set the SESSION to an empty string.
Discussed in discord here:
https://discord.com/channels/775381525260664832/855566794994221117/982351098998321163
Webui-vue and phosphor-webui both use this /logout route:
https://github.com/openbmc/webui-vue/blob/a5fefd0ad25753e5f7da03d77dfe7fe10255ebb6/src/store/modules/Authentication/AuthenticanStore.js#L50
https://github.com/openbmc/phosphor-webui/blob/339db9a4c8610c5ecb92993c0bbc2219933bc858/app/common/services/userModel.js#L46
It seemed unnecessary to add it to the SessionCollection Post.
Tested: No longer have the cookie after log out on webui-vue.
Tested on Firefox and Chrome.
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Change-Id: Ic12b6f628293a80c93ffbbe1bf06c9b2d6a53af7
Diffstat (limited to 'include/login_routes.hpp')
| -rw-r--r-- | include/login_routes.hpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/include/login_routes.hpp b/include/login_routes.hpp index 1a35adfd75..fde4b8f645 100644 --- a/include/login_routes.hpp +++ b/include/login_routes.hpp @@ -240,6 +240,11 @@ inline void requestRoutes(App& app) asyncResp->res.jsonValue["message"] = "200 OK"; asyncResp->res.jsonValue["status"] = "ok"; + asyncResp->res.addHeader("Set-Cookie", + "SESSION=" + "; SameSite=Strict; Secure; HttpOnly; " + "expires=Thu, 01 Jan 1970 00:00:00 GMT"); + persistent_data::SessionStore::getInstance().removeSession(session); } }); |