Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 7b7f04104bb3d4e8dd20fa0e338a3e7a5ae3d9fa^! / .
commit7b7f04104bb3d4e8dd20fa0e338a3e7a5ae3d9fa[log] [tgz]
authorGunnar Mills <gmills@us.ibm.com>Mon Jun 06 15:22:37 2022 -0600
committerEd Tanous <ed@tanous.net>Fri Jun 10 22:14:27 2022 +0000
tree2c4f9d77bb108440b96dbabe54a477fe12fe1d24
parent70fae94d18ca81507b6f09d575a28f68248e8721 [diff]
On logout set Session cookie with expired date

The Session cookie is an HttpOnly cookie.
HttpOnly means the cookie cannot be accessed through client side script
because of this the GUI can not delete this cookie on log out.
Recommendation online was setting this cookie to an expired date.

From https://tools.ietf.org/search/rfc6265
"Finally, to remove a cookie, the server returns a Set-Cookie header
with an expiration date in the past. The server will be successful in
removing the cookie only if the Path and the Domain attribute in the
Set-Cookie header match the values used when the cookie was created."

For more information see
https://stackoverflow.com/questions/5285940/correct-way-to-delete-cookies-server-side

Modern browsers delete expired cookies although based on reading it
might not be right away but on the next request from that domain or
when the browser is cleaning up cookies.

When I tested the cookie is deleted right away.

Also set the SESSION to an empty string.

Discussed in discord here:
https://discord.com/channels/775381525260664832/855566794994221117/982351098998321163

Webui-vue and phosphor-webui both use this /logout route:
https://github.com/openbmc/webui-vue/blob/a5fefd0ad25753e5f7da03d77dfe7fe10255ebb6/src/store/modules/Authentication/AuthenticanStore.js#L50
https://github.com/openbmc/phosphor-webui/blob/339db9a4c8610c5ecb92993c0bbc2219933bc858/app/common/services/userModel.js#L46
It seemed unnecessary to add it to the SessionCollection Post.

Tested: No longer have the cookie after log out on webui-vue.
        Tested on Firefox and Chrome.

Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Change-Id: Ic12b6f628293a80c93ffbbe1bf06c9b2d6a53af7

diff --git a/include/login_routes.hpp b/include/login_routes.hpp
index 1a35adf..fde4b8f 100644
--- a/include/login_routes.hpp
+++ b/include/login_routes.hpp

@@ -240,6 +240,11 @@
             asyncResp->res.jsonValue["message"] = "200 OK";
             asyncResp->res.jsonValue["status"] = "ok";
 
+            asyncResp->res.addHeader("Set-Cookie",
+                                     "SESSION="
+                                     "; SameSite=Strict; Secure; HttpOnly; "
+                                     "expires=Thu, 01 Jan 1970 00:00:00 GMT");
+
             persistent_data::SessionStore::getInstance().removeSession(session);
         }
         });