You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@isis.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/07/05 06:55:11 UTC

[jira] [Commented] (ISIS-1434) Cookie not cleared after logout, Shiro session remains active

    [ https://issues.apache.org/jira/browse/ISIS-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15362120#comment-15362120 ] 

ASF subversion and git services commented on ISIS-1434:
-------------------------------------------------------

Commit 0d906485127c41771d85e15783c0869313a27eea in isis's branch refs/heads/master from [~danhaywood]
[ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=0d90648 ]

ISIS-1434: changes the order in which the Shiro session is invalidated, to perform before Wicket viewer completes its own invalidation.

The original implementation worked on jetty but not as a war file under Tomcat.


> Cookie not cleared after logout, Shiro session remains active
> -------------------------------------------------------------
>
>                 Key: ISIS-1434
>                 URL: https://issues.apache.org/jira/browse/ISIS-1434
>             Project: Isis
>          Issue Type: Bug
>          Components: Core: Security: Shiro
>    Affects Versions: 1.12.1
>         Environment: OSX
>            Reporter: Jan-Willem Gmelig Meyling
>            Assignee: Dan Haywood
>            Priority: Minor
>             Fix For: 1.13.0
>
>
> I have some files that I have stored in the resource folder, which I only want to be available for authenticated users. So I have added the following contents to my shiro.ini file:
> {code}
> [main]
> authc.loginUrl = /wicket/signin
>  
> [urls]
> /dist/** = authc
> {code}
> When I am not authenticated, retrieving a page from that folder correctly brings me to Wicket. After logging in, the resource becomes available. However, when I log out, either through the TertiaryActionsPanel in Wicket, or using the logout call from the UserResource, it seems that my cookie is not cleared. I am logged out from Wicket, but I can still access the resources (until I clear my cookie on client side).
> In this case i'm trying to protect a few resources, which is a kind of ridiculous use case, but I think that this also applies for other servlet filters, which may lead to some unwanted results.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)