question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

After invalidateSession I'm able to access secured endpoint with "invalidated" session

See original GitHub issue

Hello

Looks like the invalidateSession function doesn’t invalidate the session as it should. I’ll explain below what I mean. If you want to look at steps to reproduce without technical details, scroll to the end 😃

I use “com.softwaremill.akka-http-session” %% “core” % “0.4.0” with Scala version 2.12.1

I use following configs for session:

session {
  server-secret = "YzszrU1UkqsMqCNEnuLI8DDWs6Wqacj2z4dbtquSjB8GbsFpBA7GG38yk0DaIyrB"
  encrypt-data = true
  header {
    send-to-client-name = "Set-Authorization"
    get-from-client-name = "Authorization"
  }
}

Here is my session serialization (de-)

case class Session(role: String, email: String)
object Session {
implicit def serializer: SessionSerializer[Session, String] =
  new MultiValueSessionSerializer[Session](
    (session => Map(
      "role" -> session.role,
      "email" -> session.email)),
    (map => Try {
      Session(
        map.get("role").get,
        map.get("email").get)
    })
  )
}

And finally routes:

val routes = path("login") {
post {
  entity(as[Credentials]) { credentials =>
    onSuccess(userActor ? Authenticate(credentials)) {
      case loggedIn: LoggedIn => {
        setSession(oneOff, usingHeaders, Session(loggedIn.user.role, loggedIn.user.email)) {
          complete(HttpResponse(StatusCodes.OK))
        }
      }
      case noSuchEmail: NoUserWithEmail => complete(HttpResponse(StatusCodes.BadRequest))
      case InvalidPassword => complete(HttpResponse(StatusCodes.BadRequest))
    }
  }
}
} ~ path("me") {
get {
  requiredSession(oneOff, usingHeaders) { session =>
    complete(session.role)
  }
}
} ~ path("logout") {
post {
  requiredSession(oneOff, usingHeaders) { session =>
    invalidateSession(oneOff, usingHeaders) {
      complete(HttpResponse(StatusCodes.OK))
    }
  }
}
}

Here is what I do:

  1. Call POST /login and receive back in the header long_encrypted_token_A
  2. Call GET /me with the long_encrypted_token_A header and receive back appropriate response with ADMIN value
  3. Call POST /logout and receive back 200 response (here I assume that the session is invalidated)
  4. Call GET /me with the long_encrypted_token_A header and receive back appropriate response with ADMIN value

So the question:

Why I can still successfully can use the token after invalidation?

Thanks

Issue Analytics

  • State:open
  • Created 6 years ago
  • Reactions:1
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
adamwcommented, Apr 18, 2017

Yes. That’s why sessions should always have an expiry date 😃 Optionally refreshed with the refresh token - which assumes external storage and “global” invalidation.

0reactions
adamwcommented, Nov 26, 2018

@kormoglaz so you are saying that the token is not removed from storage? That should happen … maybe you can try with a copy of InMemoryRefreshTokenStorage and with some debugging statements added.

Btw. this storage isn’t mean for production, only for testing. It’s not thread-safe (but making it such wouldn’t be hard, just a different Map implementation)

Read more comments on GitHub >

github_iconTop Results From Across the Web

Issues · softwaremill/akka-http-session - GitHub
After invalidateSession I'm able to access secured endpoint with "invalidated" session. #35 opened on Apr 17, 2017 by Fruzenshtein.
Read more >
API which does not allow to invalidate session on server side
So I see that if a hacker intercepts that cookie, then a user logs out (which means for me - remove the cookie)...
Read more >
Spring security OAuth2 - invalidate session after authentication
The token and rest-api endpoints are stateless and do not need a session. Can we invalidate the session after the user is authenticated?...
Read more >
Logout endpoint not invalidating sessions - Auth0 Community
I have a logout system that uses the Auth0lock to direct the browser to send the logout request to Auth0 to invalidate the...
Read more >
Client cookies are not getting removed after server session ...
Hi @ibacher, To invalidate session from server side you added below commit with webservices version 2.36.0, RESTWS-887: Session endpoint ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found