Is logout via cdn-cgi/access/logout for a Cloudflare Access app meant to be safe against refreshes in another tab?
It seems we can replicate about 1 in 4 scenarios where it doesn’t work fully - maybe by design?. It’s a primitive testing scenario at the moment, but upon confirmation that this isn’t intentional we’d probably look to script something more exhaustive.
Clear cache and cookies. Login via Cloudflare access and redirects to our LOB SaaS dashboard. Duplicate tab, pull to new window, tile. Continously press F5 on each.
Verify that CFAuthorization cookies are the same in each window.
Logout in Window1. Whilst F5ing continuously in Window2.
If setup as above, there is a race condition here if on the logout Step2 hasnt persisted yet whilst on the refresh setting step2?
Expected: Tab 1 successfully logs out. Tab 2 returns 403 in about 5-15 seconds (this happens around 3 out of 4 times)
Unexpected: Tab 1 successfully logs out. Tab 2 returns 200s all the time, never logouts. (happens 25% of the time)
Wait a minute is cdn-cgi/access/logout just a helper to send delete cookie on the response? It doesnt actually revoke the active session? That would explain the race??
When the logout endpoint is called (or someone logs out), all tokens for that specific user are revoked. In addition to updating the edge about the revocation we also remove the cookies for the specific domain they logged out from.
It can take up to a minute or two for the revocation to take full affect. It has to first get pushed out world wide and there is a cache that will hold the revocation records up to a minute. This is also why the problem would appear more pronounced in the scenario of refreshing because it takes longer for the cache to fall out.
I agree that the documentation needs to be more clear on exactly how logout functions with respect to revocation. We will make those updates and let you know here.
Happy to discuss further if you have additional questions.