It was observed that even after user is logged out in the browser, it is still possible to perform authenticated actions using previously captured requests as the cookie is not invalidated on the server.
Please if someone can help?
It was observed that even after user is logged out in the browser, it is still possible to perform authenticated actions using previously captured requests as the cookie is not invalidated on the server.
Please if someone can help?
Hey @mhd-rawashdah!
How are you currently logging out users? The more detail you can provide and even steps to reproduce the better!
Hey @tyf
Thank you for your prompt response
I am using the standard configuration of the auth0-nextjs SDK following the documentation. I have an endpoint for logout configured using auth0.handleAuth()
export default auth0.handleAuth({
logout: async (req: NextApiRequest, res: NextApiResponse) => {
let locale = req.cookies.NEXT_LOCALE
locale = locale === Locale.AR ? 'ar' : 'en'
await auth0.handleLogout(req, res, {
returnTo: `${auth0BaseUrl}/${locale}/partner/pre-register?origin=dsa`
})
}
})
Here are the Auth0 SDK configurations:
export default initAuth0({
secret: auth0Secret,
issuerBaseURL: auth0IssuerBaseUrl,
baseURL: auth0BaseUrl,
clientID: auth0ClientId,
clientSecret: auth0ClientSecret,
authorizationParams: {
scope: 'openid profile email offline_access'
},
session: {
rolling: true,
rollingDuration: 30 * 60, // 30 minutes
cookie: {
transient: true
}
}
})
For logout, there is a CTA on the client side using an HTML link element:
<a herf="api/logout"> Sign Out</a>
Steps to reproduce:
auth0.getSession()
returns the session.So, an attacker or previous user with an old session cookie can continue to perform unauthorized actions even after the actual user terminates the current session.
The expected result is that once a user logs out, the session cookie of that user must be forcefully invalidated on the server.
Hey @tyf
Please do you have any update on this?
Ensure your server invalidates the session cookie upon logout to prevent authenticated actions. Review your logout endpoint and session management to correctly invalidate sessions in Next.js with Auth0.