Opened 5 years ago
Last modified 14 months ago
#49258 new enhancement
Improper Session Termination
Reported by: | vishal05 | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.1.1 |
Component: | Users | Keywords: | has-patch needs-testing 2nd-opinion |
Focuses: | administration | Cc: |
Description
After Logout into wordpress back-end when we press “Back” button of the browser an authenticated page got displayed without entering any valid credentials.
Change History (6)
#3
in reply to:
↑ 2
@
4 years ago
The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored locally by a browser for their origins.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
The function wp_logout
in pluggable.php
should send the header:
header('Clear-Site-Data:"*"');
This ticket was mentioned in PR #457 on WordPress/wordpress-develop by khag7.
4 years ago
#4
- Keywords has-patch added
Trac ticket:
#6
@
14 months ago
- Keywords 2nd-opinion added
I like the idea of adding this feature. Especially as browser support has grown.
I'm happy to refresh the patch to get this closer to being added to WordPress 6.4.
Looking at the current patch, I'm wondering if we should make it filterable to allow the header to be disabled. I could see that being useful in places such as intranet sites, or if it is causing some other problems.
Thoughts?
Shameless self-plug to a plugin I have put together that helps mitigate this with Clear-Site-Data HTTP header: https://wordpress.org/plugins/clear-logout/