t oo created AIRFLOW-4185:
-----------------------------
Summary: [security] ui - Logout does not invalidate the session
correctly
Key: AIRFLOW-4185
URL: https://issues.apache.org/jira/browse/AIRFLOW-4185
Project: Apache Airflow
Issue Type: Bug
Components: security, ui
Reporter: t oo
|The logout function for the Airflow application does not invalidate the
session cookies. A new cookie is typically issued on each new page or action,
leaving multiple cookies active until they reach the cookie expiry team. After
logout, the application may also be accessed again by pressing the back button
in the browser.|
| | | | | |
|A logout request is made with a session cookie.|
|Successful requests are made to the server after logout using the same cookie.|
|After logging out, this cookie can also be used to make successful requests to
the server before its expiry.|
|Business Impact/Attack Scenario| | | |
|An attacker can replay the original session information to gain access to the
application after a logout has been completed, or return to the application via
the back button. |
|Recommendation| | | | |
|Logout needs to be configured to completely invalidate the session cookies
(client and server-side) to prevent replay attacks.
All protected pages need to check the authentication state and authorisation
role before performing any significant work, including rendering content.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
