| Issue 83: | Make sign-out really invalidate all cookies | |
| Back to list |
Reported by Shawn Pearce <sop@google.com> on Mon Feb 23 09:05:49 PST 2009 Source: JIRA GERRIT-83 Affected Version: 2.0.4 sign-out currently just deletes the user cookie. It should instead send a message to the server requesting that the token be made invalid for all time. One way to do this would be to save a per-user XSRF private key for the HMAC algorithm used to protect the cookie. sign-out can destroy this private key, such that subsequent requests won't be able to read it. The downside to this approach is we need to store a per-user key, and query the database to find the current private key, as we can't rely on it being in memory.
Sep 24, 2009
#1
code-rev...@gtempaccount.com
Sep 24, 2009
Update by Shawn Pearce <sop@google.com> on Sat Aug 15 18:51:41 PDT 2009 Fixed in version 2.0.19.
Status:
Fixed
Sep 25, 2009
(No comment was entered for this change.)
Labels:
FixedIn-2.0.19
Oct 25, 2012
(No comment was entered for this change.)
Status:
Released
|
|
| ► Sign in to add a comment |