commit 8e8735a6eeb0f5617c0600f295b1909ea5e7d80a
author Dillon Walls <dillon.walls@slashdotmedia.com> Wed May 14 19:44:19 2025 +0000
committer Dillon Walls <dillon.walls@slashdotmedia.com> Wed May 14 19:44:19 2025 +0000
tree b35ffde8793a7916f650547144a2c40df9975e7e
parent 7d3bcb629f31cd1910247d7be63c68436802cf78

[#8579] set Clear-Site-Data response header upon logout to clear cookies and storage

Allura/allura/lib/plugin.py

diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index bdb7ecd..2e9e427 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -313,6 +313,8 @@ def logout(self):
         self.session.invalidate()
         self.session.save()
         response.set_cookie('memorable_forget', '/', secure=request.environ['beaker.session'].secure)
+        # signal to browser to clear saved data
+        response.headers['Clear-Site-Data'] = '"cookies", "storage"'
 
     def validate_password(self, user: M.User, password: str) -> bool:
         ok = self._validate_password(user, password)

Allura/allura/tests/functional/test_auth.py

diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index c0d3e7f..80fd267 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -274,7 +274,10 @@ def test_logout(self):
         links = r.html.find(*nav_pattern).find_all('a')
         assert links[-1].string == "Log Out"
 
-        r = self.app.get('/auth/logout').follow().follow()
+        r = self.app.get('/auth/logout')
+        assert 'Clear-Site-Data' in r.headers
+
+        r = r.follow().follow()
         logged_out_session = r.session['_id']
         assert logged_in_session is not logged_out_session
         links = r.html.find(*nav_pattern).find_all('a')