session detatch support, cookie man and commands

author: vnugent <public@vaughnnugent.com> 2023-09-09 19:47:51 -0400
committer: vnugent <public@vaughnnugent.com> 2023-09-09 19:47:51 -0400
commit: 0f8e932e40910bfd7172632b62c61e7dc6801b25 (patch)
tree: 6b1539231ca10ee5e0fada05ea2672fb83c696f0 /plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs
parent: 1fe67b21fd3e0fe9e7063cd03e43e1583fce3ce1 (diff)
1 files changed, 24 insertions, 4 deletions
diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs
index 9c304cd..e5adb17 100644
--- a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs
+++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs
@@ -31,7 +31,7 @@ using VNLib.Plugins.Essentials.Endpoints;
 namespace VNLib.Plugins.Essentials.Accounts.Endpoints
 {
     [ConfigurationName("logout_endpoint")]
-    internal class LogoutEndpoint : ProtectedWebEndpoint
+    internal class LogoutEndpoint : UnprotectedWebEndpoint
     {
         
         public LogoutEndpoint(PluginBase pbase, IConfigScope config)
@@ -43,9 +43,29 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints
         
         protected override VfReturnType Post(HttpEntity entity)
         {
-            entity.InvalidateLogin();
-            entity.CloseResponse(HttpStatusCode.OK);
-            return VfReturnType.VirtualSkip;
+            /*
+             * If a connection is not properly authorized to modify the session
+             * we can invalidate the client by detaching the session. This 
+             * should cause the session to remain in tact but the client will
+             * be detached.
+             * 
+             * This prevents attacks where connection with just a stolen session 
+             * id can cause the client's session to be invalidated. 
+             */
+           
+            if (entity.IsClientAuthorized(AuthorzationCheckLevel.Critical))
+            {
+                entity.InvalidateLogin();
+                entity.CloseResponse(HttpStatusCode.OK);
+                return VfReturnType.VirtualSkip;
+            }
+            else
+            {
+                //Detatch the session to cause client only invalidation
+                entity.Session.Detach();
+                entity.CloseResponse(HttpStatusCode.OK);
+                return VfReturnType.VirtualSkip;
+            }
         }
     }
 }
author	vnugent <public@vaughnnugent.com>	2023-09-09 19:47:51 -0400
committer	vnugent <public@vaughnnugent.com>	2023-09-09 19:47:51 -0400
commit	0f8e932e40910bfd7172632b62c61e7dc6801b25 (patch)
tree	6b1539231ca10ee5e0fada05ea2672fb83c696f0 /plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs
parent	1fe67b21fd3e0fe9e7063cd03e43e1583fce3ce1 (diff)