|The logout function for the Airflow application does not invalidate the session cookies. A new cookie is typically issued on each new page or action, leaving multiple cookies active until they reach the cookie expiry team. After logout, the application may also be accessed again by pressing the back button in the browser.|
|A logout request is made with a session cookie.|
|Successful requests are made to the server after logout using the same cookie.|
|After logging out, this cookie can also be used to make successful requests to the server before its expiry.|
|Business Impact/Attack Scenario|
|An attacker can replay the original session information to gain access to the application after a logout has been completed, or return to the application via the back button.|
|Logout needs to be configured to completely invalidate the session cookies (client and server-side) to prevent replay attacks.
All protected pages need to check the authentication state and authorisation role before performing any significant work, including rendering content.