Skip to content

fix(logout)!: clear Inertia prefetch cache on logout to prevent data leakage #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(logout)!: clear Inertia prefetch cache on logout to prevent data leakage #97

wants to merge 1 commit into from
+7 −2

Conversation

SkandarS0
Copy link

Issue

This PR fixes a potential security issue where cached data is not cleared on user logout, leading to possible data leakage in multi-user environments.

Steps to Reproduce

These steps should be done within less 30 seconds as the cache duration for the Settings link button is set to the default duration.

Open your browser's DevTools to track prefetching requests.

  1. Log in as User A.
  2. Hover over the Settings link button when data will be prefetched.
  3. Log out and log in as User B.
  4. Upon hovering over the Settings link button, no data will be prefetched as there is already cached data about User A.
  5. Clicking the Settings link button will result in showing the profile's settings BUT with User A's data.

Video demonstration

Screen.Recording.2025-04-09.181727.mp4

Solution

Added a call to router.flushAll() in the logout process to clear the Inertia prefetch cache.

Video demonstration

Screen.Recording.2025-04-09.182602.mp4

@SkandarS0
fix(logout): clear Inertia prefetch cache on logout to prevent data l…
3a55ca3 
…eakage.

Ensure the `router.flushAll()` method is called during the logout process to clear the Inertia prefetch cache.
This prevents potential data leakage where a later user on the same device could access preloaded data from the previous session.
@SkandarS0 SkandarS0 changed the title fix(logout): clear Inertia prefetch cache on logout to prevent data leakage fix(logout)!: clear Inertia prefetch cache on logout to prevent data leakage Apr 9, 2025
@tnylea tnylea mentioned this pull request Apr 15, 2025
Open
@tnylea
Copy link
Contributor

tnylea commented Apr 15, 2025

Hey @SkandarS0, thanks for the thorough explanation and the videos. Really appreciate it. I've added this same fix to the Vue Starter Kit here: laravel/vue-starter-kit#116.

Vue version did not use the prefetch attribute, so it was not an issue, but to keep things consistent, I've added the attribute and the flush method.

Appreciate it!

@tnylea tnylea added the Approved Approved for Merge label Apr 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Approved Approved for Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SkandarS0 @tnylea