You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Ash Berlin-Taylor (JIRA)" <ji...@apache.org> on 2019/04/17 10:52:00 UTC

[jira] [Commented] (AIRFLOW-4185) [security] ui - Logout does not invalidate the session correctly

    [ https://issues.apache.org/jira/browse/AIRFLOW-4185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16819963#comment-16819963 ] 

Ash Berlin-Taylor commented on AIRFLOW-4185:
--------------------------------------------

The only way to fix this would be to change the session store type to one we can invalidate/remove records from. Maybe we should make that a configuration option (with the default saying as the current cookie-based store?)

> [security] ui - Logout does not invalidate the session correctly
> ----------------------------------------------------------------
>
>                 Key: AIRFLOW-4185
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4185
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security, ui
>            Reporter: t oo
>            Priority: Minor
>
> |The logout function for the Airflow application does not invalidate the session cookies. A new cookie is typically issued on each new page or action, leaving multiple cookies active until they reach the cookie expiry team. After logout, the application may also be accessed again by pressing the back button in the browser.|
> | | | | | |
> |A logout request is made with a session cookie.|
> |Successful requests are made to the server after logout using the same cookie.|
> |After logging out, this cookie can also be used to make successful requests to the server before its expiry.|
> |Business Impact/Attack Scenario| | | |
> |An attacker can replay the original session information to gain access to the application after a logout has been completed, or return to the application via the back button. |
> |Recommendation| | | | |
> |Logout needs to be configured to completely invalidate the session cookies (client and server-side) to prevent replay attacks.
>  All protected pages need to check the authentication state and authorisation role before performing any significant work, including rendering content.|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)