sbp commented on issue #738: URL: https://github.com/apache/tooling-trusted-releases/issues/738#issuecomment-4049046408
Closing [per my comment on upstream](https://github.com/apache/infrastructure-asfquart/issues/57#issuecomment-4049040455): > I don't think that this issue is valid. In the [current `session.py`](https://github.com/apache/infrastructure-asfquart/blob/c7163bef6f5340d7a8f365497a1cb2ac7161ffa6/src/asfquart/session.py#L45-L104) there is a branch which amounts to: > > if cookie_id in quart.session: > ... > elif bool(quart.request) and 'Authorization' in quart.request.headers: > ... > > If there's a session, even an expired session, the first branch is taken. If not, the second branch is taken. In the case of an expired cookie it just deletes the cookie. The issue says: > > "When header-based authentication is used, explicitly ignore or clear cookie session state to prevent ambiguity about which identity is active." > > But if the header-based authentication branch is taken, that means _there cannot be a present session_ and therefore there is no cookie either to ignore or to clear. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
