Lack of User Session Invalidation on Logout

[ahpaleus]

Severity: Low

The caddy-security plugin lacks proper user session invalidation upon clicking the “Sign Out” button; user sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.

To address this issue, review the sign-out process to identify the cause of the unexpected behavior. Ensure that the /oauth2/google/logout endpoint correctly terminates the user session and invalidates the associated tokens.

For more defense in depth, use the OWASP Application Security Verification Standard (V3 Session Management) to check whether the implementation handles sessions securely.

More information about our Caddy Security public disclosure:

• https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/