Make WordPress Core

Opened 5 years ago

Closed 5 months ago

#49258 closed enhancement (duplicate)

Improper Session Termination

Reported by: vishal05's profile vishal05 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.1.1
Component: Users Keywords: has-patch needs-testing 2nd-opinion
Focuses: administration Cc:

Description

After Logout into wordpress back-end when we press “Back” button of the browser an authenticated page got displayed without entering any valid credentials.

Change History (7)

#1 @SergeyBiryukov
5 years ago

  • Component changed from General to Users

#2 follow-up: @ayeshrajans
5 years ago

Shameless self-plug to a plugin I have put together that helps mitigate this with Clear-Site-Data HTTP header: https://wordpress.org/plugins/clear-logout/

#3 in reply to: ↑ 2 @khag7
5 years ago

The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored locally by a browser for their origins.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

The function wp_logout in pluggable.php should send the header:

header('Clear-Site-Data:"*"');
Last edited 5 years ago by khag7 (previous) (diff)

This ticket was mentioned in PR #457 on WordPress/wordpress-develop by khag7.


5 years ago
#4

  • Keywords has-patch added

Trac ticket:

#5 @khag7
5 years ago

  • Keywords needs-testing added
  • Type changed from defect (bug) to enhancement

#6 @brookedot
22 months ago

  • Keywords 2nd-opinion added

I like the idea of adding this feature. Especially as browser support has grown.

I'm happy to refresh the patch to get this closer to being added to WordPress 6.4.

Looking at the current patch, I'm wondering if we should make it filterable to allow the header to be disabled. I could see that being useful in places such as intranet sites, or if it is causing some other problems.

Thoughts?

#7 @johnbillion
5 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #21938.

This got fixed in [55968].

Note: See TracTickets for help on using tickets.