fix: [security] destroy session on logout

- As reported by Matúš Mikuláš, Adam Gajdošík, Milan Pikula of SK-CERT
develop-unstable
iglocska 2023-01-03 15:45:42 +01:00
parent 13bb031167
commit 6da27dd2a4
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 1 additions and 0 deletions

View File

@ -384,6 +384,7 @@ class UsersController extends AppController
if (Configure::read('keycloak.enabled')) { if (Configure::read('keycloak.enabled')) {
$this->redirect($this->Users->keyCloaklogout()); $this->redirect($this->Users->keyCloaklogout());
} }
$this->request->getSession()->destroy();
return $this->redirect(\Cake\Routing\Router::url('/users/login')); return $this->redirect(\Cake\Routing\Router::url('/users/login'));
} }
} }