Session tokens are not invalidated on logout in heroiclabs/nakama
May 24th 2022
The session cookie is not invalidated on logout so, it can be used after logout as well.
Proof of Concept
Login to the Nakama console.
Intercept the request. Below is a sample request:
GET /v2/console/user Host: localhost:7351 Accept: application/json, text/plain, */* Authorization: Bearer <token> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Referer: http://localhost:7351/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
Logout from the application.
Replay the request. Response is received as an authorized user.
Old session tokens can be used to authenticate to the application and send authenticated requests.