From 22e2a7720fc4ee58ba24e455e721ab43fae322b7 Mon Sep 17 00:00:00 2001 From: Thomas Kluyver Date: Thu, 20 Jul 2017 13:32:39 +0100 Subject: [PATCH] Render the logout page without auth tokens The user is technically still logged in when the logout page is produced, but this is not obvious to the user, and they may leave the page open. This ensures that it is rendered without information such as auth tokens which should only be available to a logged-in user. --- notebook/templates/logout.html | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/notebook/templates/logout.html b/notebook/templates/logout.html index 289ac89f8..3a58875c2 100644 --- a/notebook/templates/logout.html +++ b/notebook/templates/logout.html @@ -1,5 +1,12 @@ {% extends "page.html" %} +{# This template is rendered in response to an authenticated request, so the + user is technically logged in. But when the user sees it, the cookie is + cleared by the Javascript, so we should render this as if the user was logged + out, without e.g. authentication tokens. +#} +{% set logged_in = False %} + {% block stylesheet %} {{super()}}