Security fix: invalidate panel sessions on logout and re-login#56
Conversation
Track panel sessions server-side so stolen signed cookies cannot be replayed after logout or a subsequent login from another client. Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
PR Summary by QodoInvalidate server-panel sessions on logout and re-login via server-side token tracking
AI Description
Diagram
High-Level Assessment
Files changed (4)
|
Code Review by Qodo
Context used✅ Compliance rules (platform):
6 rules✅ Cross-repo context Not relevant to this PR:
OpenRTMP/librtmp2-server 1.
|
|
Code review by qodo was updated up to the latest commit 922f338 |
|
|
Code review by qodo was updated up to the latest commit e4ea623 |


Security review finding
Severity: Medium
Location:
app.pyIssue: #55
Impact
Flask signed session cookies remained valid for up to 8 hours after logout. An attacker who captured a session cookie before logout could replay it for full admin access even after the victim believed the session was terminated.
Fix
session_store.pywith Redis-backed (production) and in-memory (single-worker dev) session token tracking.@login_requiredrequest.Tests
test_logout_invalidates_stolen_session_cookietest_login_invalidates_previous_session_cookieAll 83 non-integration tests pass.
Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.