You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/03/06 08:32:00 UTC

[jira] [Commented] (OFBIZ-12047) Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages

    [ https://issues.apache.org/jira/browse/OFBIZ-12047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17501898#comment-17501898 ] 

ASF subversion and git services commented on OFBIZ-12047:
---------------------------------------------------------

Commit 71adde61b54dfa162419add3ad41b0027dee57ca in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=71adde6 ]

Fixed: Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages (OFBIZ-12047)

Demo content website cmssite/cms could not be accessed because in this case
requestUri is null. Like login request it does not need auth, I did not dig
further, here is a simple fix.


> Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages
> -----------------------------------------------------------------------
>
>                 Key: OFBIZ-12047
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12047
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/webapp
>    Affects Versions: Release Branch 18.12, Trunk
>            Reporter: Ingo Könemann
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: 18.12.01
>
>         Attachments: RequestHandler.java.patch, RequestHandler.java.patch, RequestHandler.java.patch
>
>
> There is a session attribute called "_PREVIOUS_REQUEST_" used to remember and execute the previous request after a login occurs. This attribute is not removed properly when navigating away from a page without logging in.
> When navigating to a page that requires authentication the "_PREVIOUS_REQUEST_" attribute is saved in the session from within the LoginWorker to be called again when the login was successful through the RequestHandler. Currently, the attribute is only removed when a login occurs resulting in the previous request being stored in the session until some form of login is successfully executed.
> This behavior potentially results in navigation problems since a user is able to navigate to a page requiring authentication without logging in. An old request will be pulled from the session when a similar event occurs and the user logs in.
>  
> I propose to have the RequestHandler remove the session attribute "_PREVIOUS_REQUEST_" after calling a request that does not require authentication. We also have to restructure the sequence of request handling to have the "targetRequestUri" handled after the security check and a possible removal of the session attribute.
>  
> One problem arises with this solution, however, which should be less of an issue than the current state:
> If the login page includes a request call that is handled after the request showing the login page (for example an ajax call rendering a screen), the "_PREVIOUS_REQUEST_" attribute will be lost before the login is processed. To my knowledge such a case does not exist within the OFBiz environment and seems to be an edge case far less problematic than the above mentioned problem.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)