rusackas opened a new pull request, #40201: URL: https://github.com/apache/superset/pull/40201
### SUMMARY This is a **test-only PR** opened as a TDD-style validation of issue #24713. #24713 (filed 2023-07) reports that after calling `/logout/`, the same session cookie can be replayed in another browser to bypass authentication. The cookie should be invalidated server-side at logout. This PR adds one regression test on the session/logout flow: 1. **`test_session_cookie_invalidated_after_logout`** — logs in as admin, captures the `session` cookie, calls `/logout/`, then replays the captured cookie via a fresh client against a protected endpoint (`api/v1/dashboard/`). Asserts the replay does **not** return 200. ### How to interpret CI - **CI green** → server-side session invalidation is in place; merging closes #24713 and locks in the regression guard. - **CI red** → the issue is still live; logout is purely client-side. Fix likely involves bumping the Flask session serializer salt / rotating the session token on logout, or hooking `user_logged_out` in `superset/security/manager.py`. ### TESTING INSTRUCTIONS \`\`\`bash pytest tests/integration_tests/security/api_tests.py::TestLogoutSessionInvalidation -v \`\`\` ### ADDITIONAL INFORMATION - [x] Has associated issue: closes #24713 - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
