andrewmusselman opened a new issue, #738: URL: https://github.com/apache/tooling-trusted-releases/issues/738
**ASVS Reference:** 7.2.4 **Finding:** 7.2.4-06 ### Description When authenticating via Bearer tokens or Basic Auth (via the `Authorization` header), the `asfquart/session.py` `read()` function creates an ad-hoc session from the header credentials but does **not** clear any existing cookie session. If both an `Authorization` header and a valid session cookie are present, this could lead to session confusion or privilege inconsistency. ### Affected File - `src/asfquart/session.py` — `read()` function, Bearer/Basic auth handling ### Recommendation When header-based authentication is used, explicitly ignore or clear cookie session state to prevent ambiguity about which identity is active. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
