Commit 9bceca2b authored by Aaron Wells's avatar Aaron Wells
Browse files

Clear secreturl access cookies on logout

Bug 1385564: This doesn't provide much additional security, because if
the access cookies are still in your browser session, then the secret URL
itself is probably still in your browser history. But if someone goes to
the trouble of logging out *and* clearing their browser history, this
will ensure that it actually does end the secreturl access cookie like
they'd expect.

Change-Id: Ia75f58015ab2cb54c9184cdc8b5bf32dfe543733
parent ff42bce2
......@@ -1524,6 +1524,13 @@ class LiveUser extends User {
set_cookie('lastinstitution', $this->sitepages_institutionname_by_theme('loggedouthome'), '2240561472', true);
}
// Clear any secret URL access cookies
foreach (array('viewaccess:', 'mviewaccess:', 'viewaccess:') as $cookiename) {
foreach (get_cookies($cookiename) as $id => $token) {
set_cookie($cookiename . $id, '', 1);
}
}
require_once(get_config('libroot') . 'ddl.php');
if ($this->changed == true) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment