From 0f8e932e40910bfd7172632b62c61e7dc6801b25 Mon Sep 17 00:00:00 2001 From: vnugent Date: Sat, 9 Sep 2023 19:47:51 -0400 Subject: session detatch support, cookie man and commands --- .../src/Endpoints/LogoutEndpoint.cs | 28 ++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) (limited to 'plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs') diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs index 9c304cd..e5adb17 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs @@ -31,7 +31,7 @@ using VNLib.Plugins.Essentials.Endpoints; namespace VNLib.Plugins.Essentials.Accounts.Endpoints { [ConfigurationName("logout_endpoint")] - internal class LogoutEndpoint : ProtectedWebEndpoint + internal class LogoutEndpoint : UnprotectedWebEndpoint { public LogoutEndpoint(PluginBase pbase, IConfigScope config) @@ -43,9 +43,29 @@ namespace VNLib.Plugins.Essentials.Accounts.Endpoints protected override VfReturnType Post(HttpEntity entity) { - entity.InvalidateLogin(); - entity.CloseResponse(HttpStatusCode.OK); - return VfReturnType.VirtualSkip; + /* + * If a connection is not properly authorized to modify the session + * we can invalidate the client by detaching the session. This + * should cause the session to remain in tact but the client will + * be detached. + * + * This prevents attacks where connection with just a stolen session + * id can cause the client's session to be invalidated. + */ + + if (entity.IsClientAuthorized(AuthorzationCheckLevel.Critical)) + { + entity.InvalidateLogin(); + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } + else + { + //Detatch the session to cause client only invalidation + entity.Session.Detach(); + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } } } } -- cgit