Site icon API Security Blog

Shopware Improper Session Handling in store-api account logout

Impact When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally. Patches The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8. Workarounds When you are not able to update, you can install the latest version of the Shopware Security…Read More

Exit mobile version