[
https://issues.apache.org/jira/browse/AIRFLOW-4185?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ash Berlin-Taylor updated AIRFLOW-4185:
---------------------------------------
Priority: Minor (was: Major)
This is low priority - if requests can be intercepted then the much is already
lost.
> [security] ui - Logout does not invalidate the session correctly
> ----------------------------------------------------------------
>
> Key: AIRFLOW-4185
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4185
> Project: Apache Airflow
> Issue Type: Bug
> Components: security, ui
> Reporter: t oo
> Priority: Minor
>
> |The logout function for the Airflow application does not invalidate the
> session cookies. A new cookie is typically issued on each new page or action,
> leaving multiple cookies active until they reach the cookie expiry team.
> After logout, the application may also be accessed again by pressing the back
> button in the browser.|
> | | | | | |
> |A logout request is made with a session cookie.|
> |Successful requests are made to the server after logout using the same
> cookie.|
> |After logging out, this cookie can also be used to make successful requests
> to the server before its expiry.|
> |Business Impact/Attack Scenario| | | |
> |An attacker can replay the original session information to gain access to
> the application after a logout has been completed, or return to the
> application via the back button. |
> |Recommendation| | | | |
> |Logout needs to be configured to completely invalidate the session cookies
> (client and server-side) to prevent replay attacks.
> All protected pages need to check the authentication state and authorisation
> role before performing any significant work, including rendering content.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
