Cache-Control with mod_auth_openidc endpoint prevents single sign out to work #846
-
|
Hi, I am currently working on implementing single sign out with my application. I am facing an issue when I am logging off from my user within a short time. If a user log in, then log out, redo this again (within a short time). The second time, the session would never be invalidated only until expiration. After looking at the dev tools in Chrome, I notice that the first time the user log out, the endpoint redirect_uri?logout= would be cached, as the cache-control only set it to max-age=600. And then the second log out, the request to redirect_uri?logout= would be from cache, and never send the request to the server. I tried to manipulate this in Apache with Header set Cache-Control "no-store, must-revalidate", but it seems like this endpoint control its own Cache-Control parameter. I would like to know if there is something wrong in what I am doing, or if this is an issue or something that can be fixed. If you need more details or an HAR or Configuration, I can sent them to you. Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
your analysis seems to be correct and this needs a fix indeed; could you try 883f811 ? thanks |
Beta Was this translation helpful? Give feedback.
-
|
Yeah I will try it, and let you know. Thanks for the quick reply |
Beta Was this translation helpful? Give feedback.
-
|
@zandbelt, THANK YOU for your help! It worked! |
Beta Was this translation helpful? Give feedback.
-
|
When will this be released? |
Beta Was this translation helpful? Give feedback.
-
|
it is in 2.4.11.2 now: https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.11.2 |
Beta Was this translation helpful? Give feedback.
your analysis seems to be correct and this needs a fix indeed; could you try 883f811 ? thanks