Jwt Token Invalidated at logout so that some endpoints cannot be accessed with previous jwt token

[sug-ghosh]

Description

When a user logged off from the UI, a malicious user can send request with the existing cookie of the user. The admin UI still authenticate as a valid user.

Mainly in endpoint, https://trino-host:8080/ui/api/query , https://trino-host:8080/ui/api/cluster , https://trino-host:8080/ui/api/stats the malicious user can see the query details.
Even thought jwt Token is bind with Cookie and the the token Expiry time can be set as short-lived token. Still if an user logged off before that, it still an issue as malicious user can see the query details by hitting https://trino-host:8080/ui/api/query .

Fixes #21783

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

# Section
* Fix some things. ({issue}`issuenumber`)

[sug-ghosh]

cc @dain @lukasz-walkiewicz

[github-actions]

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

[github-actions]

Closing this pull request, as it has been stale for six weeks. Feel free to re-open at any time.

[mosabua]

I added the stale-ignore label since there is interest to proceed.

[dain]

I don't think this ia a good approach. I think the best we can do is to delete the cookie when they log out, but it is a timed login at the core. If you need immediate invalidation, I suggest you use oauth with an IdP that supports that.

[mosabua]

Given the concerns raised by @dain I am closing this issue. If you want to implement to delete the cookie in Trino as mentioned please send a new PR and link to this one.

[sug-ghosh]

okay, I will raise a new PR @mosabua @dain , thank you.