Commit 78e8b108 authored by Aaron Wells's avatar Aaron Wells Committed by Robert Lyon
Browse files

Clear secreturl access cookies on logout

Bug 1385564: This doesn't provide much additional security, because if
the access cookies are still in your browser session, then the secret URL
itself is probably still in your browser history. But if someone goes to
the trouble of logging out *and* clearing their browser history, this
will ensure that it actually does end the secreturl access cookie like
they'd expect.

Change-Id: Ia75f58015ab2cb54c9184cdc8b5bf32dfe543733
parent ab89e765
......@@ -1480,6 +1480,13 @@ class LiveUser extends User {
set_cookie('lastinstitution', $this->sitepages_institutionname_by_theme('loggedouthome'), '2240561472', true);
}
// Clear any secret URL access cookies
foreach (array('viewaccess:', 'mviewaccess:', 'viewaccess:') as $cookiename) {
foreach (get_cookies($cookiename) as $id => $token) {
set_cookie($cookiename . $id, '', 1);
}
}
require_once(get_config('libroot') . 'ddl.php');
if ($this->changed == true) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment