Server-side Session not destroyed on Logout Action

Wappler Version : 4.9.1 and 5.0.0 Beta
Operating System : Windows and Linux
Server Model: NodeJS
Database Type: Postgres
Hosting Type: Local and DO

Expected behavior

What do you think should happen?
Server-side Session should get destroyed on Security Logout

Actual behavior

What actually happens?
On Security Logout, only the Client-side cookies are cleared.
The same cookies can be reused in Intercepted requests to fetch Authenticated resources.

How to reproduce

  1. Create a Login and Logout Flow as you would normally do (With or Without Oauth)
  2. Connect the Login flow to a DB, and setup Security Restricts for an API
  3. Authenticate a user with valid credentials and open any authenticated resource/API which uses Security Restrict, capture the request in Intercept tools such as BurpSuite or Postman
  4. Logout from the App using Security Logout
  5. Fire up the captured request using BurpSuite or Postman and you’ll notice that it authenticates and returns results using cookies in the request.
Community Page
Last updated: