You need to sign in or sign up before continuing.
gitlab-pages Cookie persists after GitLab sign out
When invalidating a GitLab session through sign-out, the Pages cookies on the other domain are not mutated.
The gitlab-pages Cookie together with the _gitlab_session Cookie will still be sent.
This allows to still access a page, even when a user is not authenticated anymore.
You can replicate it in a private window:
- Open an authorized Pages website
- Sign in to GitLab
- View the authorized page
- Sign out of GitLab in another tab
- Reload the authorized page and observe this not to fail
It seems this is related to back channel logout capabilities of OIDC, where GitLab upon sign out should also invalidate active user sessions on downstream projects.
Filing this here where it surfaces.