Logging out while impersonating a user should also delete the sudo token

RESOLVED FIXED in Bugzilla 6.0

Status

()

Bugzilla
User Accounts
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

Bugzilla 6.0
Bug Flags:
approval +

Details

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
If a user clicks the "end session" link, the sudo cookie and token are correctly removed. But if the user clicks the "log out" link directly before clicking the "end session" link, then only the sudo cookie is deleted; the sudo token is still stored in the DB. It should be deleted too (this will also avoid this token from being reused by an evil user if he can guess it).
(Assignee)

Comment 1

2 years ago
Created attachment 8635718 [details] [diff] [review]
patch, v1
Assignee: user-accounts → LpSolit
Status: NEW → ASSIGNED
Attachment #8635718 - Flags: review?(dkl)
Comment on attachment 8635718 [details] [diff] [review]
patch, v1

Review of attachment 8635718 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #8635718 - Flags: review?(dkl) → review+

Updated

2 years ago
Flags: approval?

Updated

2 years ago
Flags: approval? → approval+
(Assignee)

Comment 3

2 years ago
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   40dbd9d..4d8d27d  master -> master
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 6.0
You need to log in before you can comment on or make changes to this bug.