My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 83: Make sign-out really invalidate all cookies
  Back to list
Status:  Released
Owner:  code-rev...@gtempaccount.com
Closed:  Oct 2012


Sign in to add a comment
 
Reported by code-rev...@gtempaccount.com, Sep 24, 2009
Reported by Shawn Pearce <sop@google.com> on Mon Feb 23 09:05:49 PST 2009
Source: JIRA GERRIT-83
Affected Version: 2.0.4

sign-out currently just deletes the user cookie.

It should instead send a message to the server requesting that the token be
made invalid for all time.

One way to do this would be to save a per-user XSRF private key for the HMAC
algorithm used to protect the cookie.  sign-out can destroy this private key,
such that subsequent requests won't be able to read it.

The downside to this approach is we need to store a per-user key, and query
the database to find the current private key, as we can't rely on it being in
memory.
Sep 24, 2009
#1 code-rev...@gtempaccount.com
Comment by Shawn Pearce <sop@google.com> on Sat Aug 15 18:51:41 PDT 2009

Fixed by https://review.source.android.com/11198
Sep 24, 2009
#2 code-rev...@gtempaccount.com
Update by Shawn Pearce <sop@google.com> on Sat Aug 15 18:51:41 PDT 2009

Fixed in version 2.0.19.
Status: Fixed
Sep 25, 2009
#3 code-rev...@gtempaccount.com
(No comment was entered for this change.)
Labels: FixedIn-2.0.19
Oct 25, 2012
#4 sop@google.com
(No comment was entered for this change.)
Status: Released
Sign in to add a comment

Powered by Google Project Hosting