WordPress.org

Make WordPress Core

Opened 11 months ago

Last modified 4 months ago

#49258 new enhancement

Improper Session Termination

Reported by: vishal05 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.1.1
Component: Users Keywords: has-patch needs-testing
Focuses: administration Cc:

Description

After Logout into wordpress back-end when we press “Back” button of the browser an authenticated page got displayed without entering any valid credentials.

Change History (5)

#1 @SergeyBiryukov
11 months ago

  • Component changed from General to Users

#2 follow-up: @ayeshrajans
10 months ago

Shameless self-plug to a plugin I have put together that helps mitigate this with Clear-Site-Data HTTP header: https://wordpress.org/plugins/clear-logout/

#3 in reply to: ↑ 2 @khag7
4 months ago

The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored locally by a browser for their origins.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

The function wp_logout in pluggable.php should send the header:

header('Clear-Site-Data:"*"');
Last edited 4 months ago by khag7 (previous) (diff)

This ticket was mentioned in PR #457 on WordPress/wordpress-develop by khag7.
4 months ago

  • Keywords has-patch added

Trac ticket:

#5 @khag7
4 months ago

  • Keywords needs-testing added
  • Type changed from defect (bug) to enhancement
Note: See TracTickets for help on using tickets.