diff options
author | vnugent <public@vaughnnugent.com> | 2023-09-09 19:47:51 -0400 |
---|---|---|
committer | vnugent <public@vaughnnugent.com> | 2023-09-09 19:47:51 -0400 |
commit | 0f8e932e40910bfd7172632b62c61e7dc6801b25 (patch) | |
tree | 6b1539231ca10ee5e0fada05ea2672fb83c696f0 /plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs | |
parent | 1fe67b21fd3e0fe9e7063cd03e43e1583fce3ce1 (diff) |
session detatch support, cookie man and commands
Diffstat (limited to 'plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs')
-rw-r--r-- | plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs | 28 |
1 files changed, 24 insertions, 4 deletions
diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs index 9c304cd..e5adb17 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs @@ -31,7 +31,7 @@ using VNLib.Plugins.Essentials.Endpoints; namespace VNLib.Plugins.Essentials.Accounts.Endpoints { [ConfigurationName("logout_endpoint")] - internal class LogoutEndpoint : ProtectedWebEndpoint + internal class LogoutEndpoint : UnprotectedWebEndpoint { public LogoutEndpoint(PluginBase pbase, IConfigScope config) @@ -43,9 +43,29 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints protected override VfReturnType Post(HttpEntity entity) { - entity.InvalidateLogin(); - entity.CloseResponse(HttpStatusCode.OK); - return VfReturnType.VirtualSkip; + /* + * If a connection is not properly authorized to modify the session + * we can invalidate the client by detaching the session. This + * should cause the session to remain in tact but the client will + * be detached. + * + * This prevents attacks where connection with just a stolen session + * id can cause the client's session to be invalidated. + */ + + if (entity.IsClientAuthorized(AuthorzationCheckLevel.Critical)) + { + entity.InvalidateLogin(); + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } + else + { + //Detatch the session to cause client only invalidation + entity.Session.Detach(); + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } } } } |