After invalidateSession I'm able to access secured endpoint with "invalidated" session
See original GitHub issueHello
Looks like the invalidateSession function doesn’t invalidate the session as it should. I’ll explain below what I mean. If you want to look at steps to reproduce without technical details, scroll to the end 😃
I use “com.softwaremill.akka-http-session” %% “core” % “0.4.0” with Scala version 2.12.1
I use following configs for session:
session {
server-secret = "YzszrU1UkqsMqCNEnuLI8DDWs6Wqacj2z4dbtquSjB8GbsFpBA7GG38yk0DaIyrB"
encrypt-data = true
header {
send-to-client-name = "Set-Authorization"
get-from-client-name = "Authorization"
}
}
Here is my session serialization (de-)
case class Session(role: String, email: String)
object Session {
implicit def serializer: SessionSerializer[Session, String] =
new MultiValueSessionSerializer[Session](
(session => Map(
"role" -> session.role,
"email" -> session.email)),
(map => Try {
Session(
map.get("role").get,
map.get("email").get)
})
)
}
And finally routes:
val routes = path("login") {
post {
entity(as[Credentials]) { credentials =>
onSuccess(userActor ? Authenticate(credentials)) {
case loggedIn: LoggedIn => {
setSession(oneOff, usingHeaders, Session(loggedIn.user.role, loggedIn.user.email)) {
complete(HttpResponse(StatusCodes.OK))
}
}
case noSuchEmail: NoUserWithEmail => complete(HttpResponse(StatusCodes.BadRequest))
case InvalidPassword => complete(HttpResponse(StatusCodes.BadRequest))
}
}
}
} ~ path("me") {
get {
requiredSession(oneOff, usingHeaders) { session =>
complete(session.role)
}
}
} ~ path("logout") {
post {
requiredSession(oneOff, usingHeaders) { session =>
invalidateSession(oneOff, usingHeaders) {
complete(HttpResponse(StatusCodes.OK))
}
}
}
}
Here is what I do:
- Call POST /login and receive back in the header long_encrypted_token_A
- Call GET /me with the long_encrypted_token_A header and receive back appropriate response with ADMIN value
- Call POST /logout and receive back 200 response (here I assume that the session is invalidated)
- Call GET /me with the long_encrypted_token_A header and receive back appropriate response with ADMIN value
So the question:
Why I can still successfully can use the token after invalidation?
Thanks
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Issues · softwaremill/akka-http-session - GitHub
After invalidateSession I'm able to access secured endpoint with "invalidated" session. #35 opened on Apr 17, 2017 by Fruzenshtein.
Read more >API which does not allow to invalidate session on server side
So I see that if a hacker intercepts that cookie, then a user logs out (which means for me - remove the cookie)...
Read more >Spring security OAuth2 - invalidate session after authentication
The token and rest-api endpoints are stateless and do not need a session. Can we invalidate the session after the user is authenticated?...
Read more >Logout endpoint not invalidating sessions - Auth0 Community
I have a logout system that uses the Auth0lock to direct the browser to send the logout request to Auth0 to invalidate the...
Read more >Client cookies are not getting removed after server session ...
Hi @ibacher, To invalidate session from server side you added below commit with webservices version 2.36.0, RESTWS-887: Session endpoint ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yes. That’s why sessions should always have an expiry date 😃 Optionally refreshed with the refresh token - which assumes external storage and “global” invalidation.
@kormoglaz so you are saying that the token is not removed from storage? That should happen … maybe you can try with a copy of
InMemoryRefreshTokenStorage
and with some debugging statements added.Btw. this storage isn’t mean for production, only for testing. It’s not thread-safe (but making it such wouldn’t be hard, just a different
Map
implementation)