JSESSIONID session cookie removal after logout #577
Description
Hello,
We are using ShinyProxy to deploy a R Shiny app that is accessed under a web-service based authentication. We are still using ShinyProxy 3.0.2 (essentially due the JDK version in use)
We recently received some securiy assessment before being able to deploy the app in production. Among the medium risks identified, one of the key finding we are requested to address is the following:
The session cookie (JSESSIONID) remains active in the browser after user logout, indicating that the server does not properly invalidate or clear the session upon termination. This may pose security and session management risks.
The recommendation given is:
Ensure that the server properly invalidates the user session during logout and explicitly removes the session cookie (JSESSIONID) from the client. Configure the logout process to delete all relevant cookies and verify that no active session identifiers remain in the browser post-logout to enhance security and session management.
From what I understand, and after tests, the JSESSIONID is cleared/renewed, since it's different before/after login and after logout.
Is there anything we can/should do (maybe at configuration level) to address above recommendation (including removing the session cookie)?
Thanks in advance for your support
Best regards