We have our superset instance tested by security team. they are performing following steps -
1. login into superset.
2. copy the session cookies with the help of browser extension.
3. logout from superset.
4. import session cookies into second browser.
5. hit superset login url in second browser.
Now Superset getting logged in second browser, It can be replicated in same browser.
Cookies are supposed be invalidated after logout.
How do I invalidate session cookies after logout in superset ? so that this scenario is avoided.
We are using LDAP for user authentication.