From de9a96c4deab0b31bdeb2c9f5b7d02e286b34c5c Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 17 May 2020 12:32:33 +0100 Subject: [PATCH] Forcibly clean and destroy the session on logout (#11447) (#11451) Backport #11447 Signed-off-by: Andrew Thornton Co-authored-by: techknowlogick Co-authored-by: techknowlogick --- routers/user/auth.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/routers/user/auth.go b/routers/user/auth.go index 6d762a058cd..925885976e5 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -988,11 +988,8 @@ func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form au } func handleSignOut(ctx *context.Context) { - _ = ctx.Session.Delete("uid") - _ = ctx.Session.Delete("uname") - _ = ctx.Session.Delete("socialId") - _ = ctx.Session.Delete("socialName") - _ = ctx.Session.Delete("socialEmail") + _ = ctx.Session.Flush() + _ = ctx.Session.Destroy(ctx.Context) ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)