** Changed in: mahara/21.04 Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1930469
Title: Need to kill web service authentication session at end of process Status in Mahara: Fix Released Status in Mahara 20.04 series: Fix Committed Status in Mahara 20.10 series: In Progress Status in Mahara 21.04 series: Fix Committed Bug description: Currently when a token based websesrvice is called it authenticates the owner of the token on the Mahara end so that any functions called by the service can only be executed if the authenticated token owner can run those functions. One of the problems with the current setup is we don't then kill the session of this token owner when the webservice call is completed. This means if one hits a site with a crafted URL containing a valid token but no webservice function they will get an error message page, but if they then go to the home page of the site they will find they are logged in as the token owner. In the webservice_base_server class there is the run() method that goes through the steps to do a webservice call and the last part is calling $this->session_cleanup(); And in that method is nothing to actually handle the logging out of that session To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1930469/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp