0

We have our superset instance tested by security team. they are performing following steps -

1. login into superset.
2. copy the session cookies with the help of browser extension.
3. logout from superset.
4. import session cookies into second browser.
5. hit superset login url in second browser.

Now Superset getting logged in second browser, It can be replicated in same browser.

Cookies are supposed be invalidated after logout.

How do I invalidate session cookies after logout in superset ? so that this scenario is avoided.

We are using LDAP for user authentication.

Kamal Kumar
  • 474
  • 5
  • 9
  • Here is the related [GitHub issue](https://github.com/apache/superset/issues/24713) you've opened. – Sebastian Liebscher Jul 25 '23 at 12:59
  • @SebastianLiebscher, Can you pls guide me where I should look for solution. Yes I also raised issue on superset repo, unfortunately no response. – Kamal Kumar Jul 26 '23 at 06:25
  • You can post the problem on Superset Slack or the dev mailing list to raise awareness ([have a look here](https://github.com/apache/superset/wiki)). If you are comfortable with Python, you can also try to fix the code in question and create a PR. – Sebastian Liebscher Jul 26 '23 at 10:18

0 Answers0