Merge tag '26.10.3' into develop

Update how invalid cookie/session is handled

Author: cslzchen

CHANGELOG

@@ -2,6 +2,11 @@
 
 We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO.
 
+26.10.3 (2026-06-02)
+====================
+
+- Update how invalid cookie/session is handled
+
 26.10.2 (2026-05-27)
 ====================
 

framework/sessions/__init__.py

@@ -164,7 +164,7 @@ def create_session(response, data=None):
 def before_request():
     # TODO: Fix circular import
     from framework.auth.core import get_user
-    from framework.auth import cas, utils
+    from framework.auth import cas
     UserSessionMap = apps.get_model('osf.UserSessionMap')
 
     # Request Type 1: Service ticket validation during CAS login.
@@ -215,8 +215,15 @@ def before_request():
         try:
             user_session = flask_get_session_from_cookie(cookie)
         except InvalidCookieOrSessionError:
-            # If invalid session/cookie happens, perform a full logout to clear both CAS and OSF Sessions
-            response = redirect(utils.get_default_osf_logout_url())
+            # If invalid session/cookie happens, only remove the invalid cookie and redirect to the same request.
+            # This ensures users landing on the page/link they previously clicked.
+            # Case 1: If it's a public page, they land on the correct page.
+            # Case 2: If it's a private page and if they already have a CAS cookie, they will be automatically logged
+            #         back in and land on the correct page.
+            # Case 3: If it's a private page and if they don't have a CAS cookie, they will need to manually log in.
+            #         After successful login, they will land on the correct page.
+            redirect_url = request.url
+            response = redirect(redirect_url)
             response.delete_cookie(settings.COOKIE_NAME, domain=settings.OSF_COOKIE_DOMAIN)
             return response
         # Case 1: anonymous session that is used for first time external (e.g. ORCiD) login only

package.json

@@ -1,6 +1,6 @@
 {
   "name": "OSF",
-  "version": "26.10.2",
+  "version": "26.10.3",
   "description": "Facilitating Open Science",
   "repository": "https://github.com/CenterForOpenScience/osf.io",
   "author": "Center for Open Science",

pyproject.toml

@@ -1,8 +1,11 @@
 [tool.poetry]
 name = "osf-io"
-version = "26.10.2"
+version = "26.10.3"
 description = "The code for [https://osf.io](https://osf.io)."
-authors = ["Longze Chen <cslzchen@gmail.com>"]
+authors = [
+    "Brian J. Geiger <bgeiger@pobox.com>",
+    "Longze Chen <cslzchen@gmail.com>",
+]
 license = "Apache License 2.0"
 readme = "README.md"
 packages = [{include = "osf"}]

tests/test_auth_basic_auth.py

@@ -29,6 +29,7 @@ def setUp(self):
         self.reachable_project = ProjectFactory(title='Private Project User 1', is_public=False, creator=self.user1)
         self.unreachable_project = ProjectFactory(title='Private Project User 2', is_public=False, creator=self.user2)
         self.reachable_url = self.reachable_project.web_url_for('view_project')
+        self.reachable_absolute_url = self.reachable_project.web_url_for('view_project', _absolute=True)
         self.unreachable_url = self.unreachable_project.web_url_for('view_project')
 
     def test_missing_credential_fails(self):
@@ -97,6 +98,14 @@ def test_expired_cookie(self):
         session = SessionStore(session_key=session_key)
         session.delete()
         self.app.set_cookie(settings.COOKIE_NAME, str(cookie))
-        res = self.app.get(self.reachable_url)
+        res = self.app.get(self.reachable_absolute_url)
+        assert res.status_code == 302
+        assert f'{settings.COOKIE_NAME}=;' in res.headers.get('Set-Cookie')
+        assert self.reachable_absolute_url == res.location
+
+    def test_invalid_cookie(self):
+        self.app.set_cookie(settings.COOKIE_NAME, str('INVALID_COOKIE'))
+        res = self.app.get(self.reachable_absolute_url)
         assert res.status_code == 302
-        assert 'http://localhost:5000/logout/?next=http://localhost:4200/' == res.location
+        assert f'{settings.COOKIE_NAME}=;' in res.headers.get('Set-Cookie')
+        assert self.reachable_absolute_url == res.location