TPAC logout does not delete session
Bug #1248636 reported by
Jeff Godin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
High
|
Unassigned | ||
2.5 |
Fix Released
|
High
|
Unassigned | ||
2.6 |
Fix Released
|
High
|
Unassigned |
Bug Description
When a user logs out of the TPAC public catalog interface, the session is not deleted. The cookie on the client is cleared, but the session remains in memcached, and the authentication token can continue to be used, if it was retained via some means other than the standard browser cookie mechanisms.
The session will eventually expire after a configurable period of inactivity. The period will vary depending on if the session was created as a standard or as a persistent session.
In the JSPAC and Staff Client, "logout" deletes the session using a call to open-ils.
We should do the same thing in TPAC.
Changed in evergreen: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in evergreen: | |
milestone: | none → 2.7.1 |
status: | Confirmed → Fix Released |
information type: | Private Security → Public Security |
To post a comment you must log in.
There's a branch for that in the security repo called: user/miker/ lp1248636_ logout- delete- session