Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-4185

[security] ui - Logout does not invalidate the session correctly

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security, ui
    • Labels:
      None

      Description

      The logout function for the Airflow application does not invalidate the session cookies. A new cookie is typically issued on each new page or action, leaving multiple cookies active until they reach the cookie expiry team. After logout, the application may also be accessed again by pressing the back button in the browser.
               
      A logout request is made with a session cookie.
      Successful requests are made to the server after logout using the same cookie.
      After logging out, this cookie can also be used to make successful requests to the server before its expiry.
      Business Impact/Attack Scenario      
      An attacker can replay the original session information to gain access to the application after a logout has been completed, or return to the application via the back button. 
      Recommendation        
      Logout needs to be configured to completely invalidate the session cookies (client and server-side) to prevent replay attacks.
      All protected pages need to check the authentication state and authorisation role before performing any significant work, including rendering content.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              toopt4 t oo
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: