3

browser automated test requiring multiple logins of different accounts

try to logout the legitimate way (automate hitting the button)

or wipe cookies?

Comments
  • 3
    @azuredivay wiping cookies makes the browser 'lose' the 'access card'. But it doesn't not remove that 'card' from the server-side registry.

    I'd argue that the former is more important.
  • 4
    Why not both?
  • 2
    Log out, assert that both the cookie store and the session database is empty. If they aren't, fail the test and wipe both manually before the next one.
  • 2
    What lorentz said, but instead of cleaning up manually between tests, run each test in a brand new browser using a WebDriver API
  • 1
    @azuredivay i meant sessionId and similar cookies.

    JWT - eh... Devs don't usually bother to implement a proper logout procedure for jwt-managed sessions. But mechanisms are still possible to implement: have a registry of revoked access and refresh tokens.

    As for the WHY -- consider a leaked token. Say, you added your both tokens in a unittest and forgot about them and pushed 'em to public github. Aaaand you're fucked if the backend does not invalidate tokens upon logout [should you invoke it]. Anyone can access and use your refresh token for ~30days to create new access tokens and basically use your credentials forever
  • 0
    @magicMirror Agreed. Or, write a test to ensure that cookies are truly wiped after clicking the logout button.
Add Comment