Make sign-out really invalidate the user's session By storing our own session table on the server we can delete the session record when the user asks us to sign them out of their browser session. This cuts off any chance for an outside attacker to have sniffed the cookie and replay it after the user has signed out of their session. The downside of this approach is the session table is stored in memory, and has a finite size. If too many concurrent sessions occur at once, the older sessions will be logged out. Bug: GERRIT-83 Signed-off-by: Shawn O. Pearce <sop@google.com>
19 files changed
