OpenSearch Dashboards log out not clearing session cookie validity

Hi,

Using OpenSearch 1.2.3 with OpenSearch Dashboards 1.2.0 (with the corresponding security plugins)
Dashboards doesn’t seem to be invalidating session cookies after logging out.

Steps

  1. Log in to dashboard
  2. Note value of cookie security_authentication
  3. Log out of dashboard via UI
  4. Use same security_authentication token and access dashboard api directly (for example: url:5601/api/v1/configuration/account) and the session token still works

I found this similar issue: https://github.com/opensearch-project/security-dashboards-plugin/issues/119 but there hasn’t been a reply yet since Dec 2019?

Could someone please also help check and validate?

Thank you!

1 Like

Addendeum: the security plugin does seem to be keeping track of the sessions somehow, it invalidates the cookie after I think an hour of inactivity. However, the log out button should be doing this too?

1 Like