diff --git a/CHANGELOG.md b/CHANGELOG.md index 2af55859966b..45d1c4475133 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -69,6 +69,15 @@ ## Unreleased +### Breaking Changes + +#### Plugins + +- **Session**: default value for `logout_post_arg` was removed. That means that you need to actively + configure it to be able to logout by HTTP POST argument. This was done because it lead in the most + cases to unnecessary reads of HTTP bodies, which caused other issues. + [#10333](https://github.com/Kong/kong/pull/10333) + ### Dependencies - Bumped lua-resty-session from 4.0.2 to 4.0.3 diff --git a/kong/plugins/session/schema.lua b/kong/plugins/session/schema.lua index e555805e7c42..f4bc75a5026b 100644 --- a/kong/plugins/session/schema.lua +++ b/kong/plugins/session/schema.lua @@ -94,7 +94,7 @@ return { { request_headers = headers }, { logout_methods = logout_methods }, { logout_query_arg = { type = "string", default = "session_logout" } }, - { logout_post_arg = { type = "string", default = "session_logout" } }, + { logout_post_arg = { type = "string" } }, }, shorthand_fields = { -- TODO: deprecated forms, to be removed in Kong 4.0 diff --git a/kong/plugins/session/session.lua b/kong/plugins/session/session.lua index b753c5ff01f6..424401153279 100644 --- a/kong/plugins/session/session.lua +++ b/kong/plugins/session/session.lua @@ -6,6 +6,17 @@ local kong = kong local ipairs = ipairs +-- In theory bodies are allowed in most HTTP methods, but in +-- practice it is reasonable to limit reading bodies only to +-- below list of HTTP methods. +local READ_BODY_METHODS = { + DELETE = true, -- this is a stretch, but lets allow it + PATCH = true, + POST = true, + PUT = true, +} + + local _M = {} @@ -103,7 +114,7 @@ function _M.logout(conf) end local logout_post_arg = conf.logout_post_arg - if logout_post_arg then + if logout_post_arg and READ_BODY_METHODS[request_method] then local post_args = kong.request.get_body() if post_args and post_args[logout_post_arg] then kong.log.debug("logout by post argument")