Re: [PR] test(security): regression test for session cookie after logout (#24713) [superset]

Sun, 17 May 2026 21:18:03 -0700 


rusackas commented on code in PR #40201:
URL: https://github.com/apache/superset/pull/40201#discussion_r3256317825


##########
tests/integration_tests/security/api_tests.py:
##########
@@ -402,3 +403,36 @@ def test_get_roles_with_specific_test_data(self):
         assert sorted(role2_api["user_ids"]) == role2_expected["user_ids"]
         assert sorted(role2_api["permission_ids"]) == 
role2_expected["permission_ids"]
         assert role2_api["group_ids"] == role2_expected["group_ids"]
+
+
+class TestLogoutSessionInvalidation(SupersetTestCase):
+    """Regression for #24713: a session cookie captured pre-logout must not 
grant
+    access after the user logs out. The original report describes copying the
+    session cookie out, calling /logout/, and successfully reusing the cookie 
in
+    a second browser to bypass authentication."""
+
+    def test_session_cookie_invalidated_after_logout(self):
+        self.login(ADMIN_USERNAME)
+
+        resp_authed = self.client.get("api/v1/dashboard/", 
follow_redirects=False)
+        assert resp_authed.status_code == 200, (
+            f"Login did not yield an authenticated session "
+            f"(got {resp_authed.status_code})"
+        )
+
+        captured = {
+            c.name: c.value for c in self.client.cookie_jar if c.name == 
"session"
+        }
+        assert captured, "expected a session cookie after login"
+
+        self.client.get("/logout/", follow_redirects=True)
+
+        replay_client = app.test_client()
+        for name, value in captured.items():
+            replay_client.set_cookie("localhost", name, value)

Review Comment:
   You're right — fixed in 94d2aff5. Switched from the old `client.cookie_jar` 
/ `set_cookie(server_name, key, value)` API to the current Werkzeug 2.3+ 
contract (`client._cookies` for read, `set_cookie(key, value, domain=...)` for 
write). CI confirmed an `AttributeError: 'FlaskClient' object has no attribute 
'cookie_jar'` before this — should now exercise the actual logout/replay path.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to