Wappler Version : 4.9.1 and 5.0.0 Beta
Operating System : Windows and Linux
Server Model: NodeJS
Database Type: Postgres
Hosting Type: Local and DO
Expected behavior
What do you think should happen?
Server-side Session should get destroyed on Security Logout
Actual behavior
What actually happens?
On Security Logout, only the Client-side cookies are cleared.
The same cookies can be reused in Intercepted requests to fetch Authenticated resources.
How to reproduce
- Create a Login and Logout Flow as you would normally do (With or Without Oauth)
- Connect the Login flow to a DB, and setup Security Restricts for an API
- Authenticate a user with valid credentials and open any authenticated resource/API which uses Security Restrict, capture the request in Intercept tools such as BurpSuite or Postman
- Logout from the App using Security Logout
- Fire up the captured request using BurpSuite or Postman and you’ll notice that it authenticates and returns results using cookies in the request.
Community Page
Last updated:
Last updated: