|
|
|
|
|
|
by CamJN
1188 days ago
|
|
|
Assuming you use a token similar to JWT , then redirects and removing the token from the client don’t matter if you don’t blacklist the token on the backend, which if they were able to continue by hitting the back button seems the case. This does require you to keep a database of “logged-out” tokens and reject them, and occasionally run a cleanup script on the db to prune tokens from that table after they would have expired, but that’s what is required when you use auth tokens for login. |
|
|
From the screenshot that was provided, they're seeing the client render a page, but it's failing to acquire any data from the API. If they opened the network inspector they'd likely see that the requests are 401'ing after logging out.
I'm not pretending that this is good UX -- it's not -- but it's not evidence of a security issue. That said, we have every intention of nailing down fantastic UX as quickly as possible. (I'm a recent addition to the company but) it pains me personally for anyone to see any mistakes and I hope to impress you soon.