Make WordPress Core

Opened 5 years ago

Last modified 14 months ago

#49258 new enhancement

Improper Session Termination

Reported by: vishal05's profile vishal05 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.1.1
Component: Users Keywords: has-patch needs-testing 2nd-opinion
Focuses: administration Cc:

Description

After Logout into wordpress back-end when we press “Back” button of the browser an authenticated page got displayed without entering any valid credentials.

Change History (6)

#1 @SergeyBiryukov
5 years ago

  • Component changed from General to Users

#2 follow-up: @ayeshrajans
5 years ago

Shameless self-plug to a plugin I have put together that helps mitigate this with Clear-Site-Data HTTP header: https://wordpress.org/plugins/clear-logout/

#3 in reply to: ↑ 2 @khag7
4 years ago

The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored locally by a browser for their origins.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

The function wp_logout in pluggable.php should send the header:

header('Clear-Site-Data:"*"');
Last edited 4 years ago by khag7 (previous) (diff)

This ticket was mentioned in PR #457 on WordPress/wordpress-develop by khag7.


4 years ago
#4

  • Keywords has-patch added

Trac ticket:

#5 @khag7
4 years ago

  • Keywords needs-testing added
  • Type changed from defect (bug) to enhancement

#6 @brookedot
14 months ago

  • Keywords 2nd-opinion added

I like the idea of adding this feature. Especially as browser support has grown.

I'm happy to refresh the patch to get this closer to being added to WordPress 6.4.

Looking at the current patch, I'm wondering if we should make it filterable to allow the header to be disabled. I could see that being useful in places such as intranet sites, or if it is causing some other problems.

Thoughts?

Note: See TracTickets for help on using tickets.