Active
Project:
Secure Pages Hijack Prevention
Version:
6.x-1.x-dev
Component:
Documentation
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
12 Mar 2011 at 22:59 UTC
Updated:
2 Apr 2011 at 03:40 UTC
Hi. Just spent a bunch of time on this so I thought I'd bring it up. I suggest you add the following to the documentation:
It is recommended that you set the path /logout to be a secure page. On logout, in certain cases (especially on high performance sites), there is a need to clear out any cookies that might have been set to properly clean up the session. This avoids problems with upstream caching proxies such as Varnish. If the /logout page is not secure, the SSL cookie that is set by this module isn't available in the $_COOKIES array. You can then wind up with the normal session cookie having been removed, but the SSL cookie remaining on the site.
I hope that makes sense.
Comments
Comment #1
rjbrown99 commentedAlso worth reading if people find this issue: #791888: sess_destroy_sid() does not remove the session cookie from the user's browser.
Comment #2
izmeez commentedsubscribing
Comment #3
shadowmihai commentedsubscribing
Comment #4
cedarm commentedMakes sense to me, although from the HTTP perspective the session is already "clean" because the SSL cookie "doesn't exist".
@rjbrown99 can you elaborate on the case(s) where having the SSL cookie hang around affects things?
Comment #5
rjbrown99 commentedSure. For purposes of my upstream reverse proxy (varnish), it won't cache anything where it sees a valid cookie for the site. So I have a user that logs out of the authenticated portion of the site, the standard Drupal cookie is cleared but the SSL cookie remains. In that case, Varnish still sees a cookie and won't cache anything. If I properly remove all of the cookies now the user can surf the unauthenticated portion of the site and have everything cached.
Comment #6
cedarm commentedI'm working on exactly this with varnish right now and that's my point. Varnish doesn't support SSL and because of the https only flag on the SSL cookie varnish will never see it and therefore return cached pages. Or do you have something in front of Varnish to handle the SSL side? Hmm.. I suppose in that case varnish would get the SSL cookie.