Skip to content

frontend: remove session upon signout

Warren Gifford requested to merge as/remove-session-upon-signout into main

Created by: asdine

This change deletes both the session cookie and the Redis session key when the client logs out. Currently, when a user logs out, the session is invalidated but not deleted. Whenever a client logs in with the same browser, the old session is reused by https://github.com/gorilla/sessions which can lead to authentication bypass.

Note: The issue still remains when an admin manually invalidates a user session. @ElizabethStirling any thoughts?

Related to https://github.com/sourcegraph/security-issues/issues/136

Merge request reports

Loading