Hi,
Using OpenSearch 1.2.3 with OpenSearch Dashboards 1.2.0 (with the corresponding security plugins)
Dashboards doesn’t seem to be invalidating session cookies after logging out.
Steps
- Log in to dashboard
- Note value of cookie security_authentication
- Log out of dashboard via UI
- Use same security_authentication token and access dashboard api directly (for example: url:5601/api/v1/configuration/account) and the session token still works
I found this similar issue: https://github.com/opensearch-project/security-dashboards-plugin/issues/119 but there hasn’t been a reply yet since Dec 2019?
Could someone please also help check and validate?
Thank you!