This is an automated email from the ASF dual-hosted git repository. dill0wn pushed a commit to branch dw/8579 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 8e8735a6eeb0f5617c0600f295b1909ea5e7d80a Author: Dillon Walls <[email protected]> AuthorDate: Wed May 14 19:44:19 2025 +0000 [#8579] set Clear-Site-Data response header upon logout to clear cookies and storage --- Allura/allura/lib/plugin.py | 2 ++ Allura/allura/tests/functional/test_auth.py | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py index bdb7ecdd6..2e9e42786 100644 --- a/Allura/allura/lib/plugin.py +++ b/Allura/allura/lib/plugin.py @@ -313,6 +313,8 @@ def logout(self): self.session.invalidate() self.session.save() response.set_cookie('memorable_forget', '/', secure=request.environ['beaker.session'].secure) + # signal to browser to clear saved data + response.headers['Clear-Site-Data'] = '"cookies", "storage"' def validate_password(self, user: M.User, password: str) -> bool: ok = self._validate_password(user, password) diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py index c0d3e7f6d..80fd2674b 100644 --- a/Allura/allura/tests/functional/test_auth.py +++ b/Allura/allura/tests/functional/test_auth.py @@ -274,7 +274,10 @@ def test_logout(self): links = r.html.find(*nav_pattern).find_all('a') assert links[-1].string == "Log Out" - r = self.app.get('/auth/logout').follow().follow() + r = self.app.get('/auth/logout') + assert 'Clear-Site-Data' in r.headers + + r = r.follow().follow() logged_out_session = r.session['_id'] assert logged_in_session is not logged_out_session links = r.html.find(*nav_pattern).find_all('a')
