Can't sign out from RStudio Server if "Stay signed in" is checked when first logging in #1538
Comments
jmcphers
changed the title
|
Another method for signing out—in addition to clearing out cookies—is to point the browser at the “auth-sign-in” page: <RStudio_Server_URI:port>/auth-sign-in |
|
I'm surprised no one's reported this since the issue also exists in 1.0 (and has ever since we added CSRF protection). Fix is pretty simple, and presuming it performs well it's a candidate for backporting. |
|
Verified fixed 1.2.152-3. |
jmcphers
added a commit
that referenced
this issue
Nov 16, 2017
Fixes an issue in which opening a new browser window can cause you to lose your CSRF token cookie (and therefore lose access to CRSF-guarded pages such as signout), since this cookie had no expiration and was therefore treated as a session cookie.
|
Backported to 1.1 patch here: b125809 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you've chosen to "Stay signed in" when first logging in to RStudio Server, you can never sign out again after the first time you close all browsers. (If you sign out before exiting the browser app, signout will be successful.)
To reproduce:
--> 5a) Click on the signout icon in the upper right hand corner
or
--> 5b) Click on the "R" logo on the upper right to get to the home page, then click on the signout icon in the upper right hand corner
This takes you to the page "auth-sign-out" with the error
Missing or incorrect token.
The only way to sign out at this point is to clear cookies.
RSP 1.1.374 on Ubuntu (Xenial), CentOS, and openSUSE.
The text was updated successfully, but these errors were encountered: