You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Roberto Benítez Monje (JIRA)" <ji...@apache.org> on 2012/07/11 10:09:33 UTC
[jira] [Created] (OFBIZ-4959) Logout do not remove autoLogin
Roberto Benítez Monje created OFBIZ-4959:
--------------------------------------------
Summary: Logout do not remove autoLogin
Key: OFBIZ-4959
URL: https://issues.apache.org/jira/browse/OFBIZ-4959
Project: OFBiz
Issue Type: Bug
Components: ALL COMPONENTS
Affects Versions: Release 10.04, Release 09.04
Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
Reporter: Roberto Benítez Monje
Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.
It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OFBIZ-4959) Logout do not remove autoLogin
Posted by "Roberto Benítez Monje (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13414880#comment-13414880 ]
Roberto Benítez Monje commented on OFBIZ-4959:
----------------------------------------------
logoutFromAllSessions mabye is a method from a previous developper in my company.
Autologin does the Cookies handling. Ofbiz never delete Cookies because autoLoginRemove is never called. I detect this behaviour because I was manipulating ofbiz to allow the user choose his home page and I faced with re-login issue. I saw request and session attributes and even the cookies.
If a user enters in default_component and is redirected automatically to another component when He logout He isn't completely logged out. And if he enters again in default_component is logged in without insert his user and password.
Sorry If I don't express correctly. I don't speak English very well.
> Logout do not remove autoLogin
> ------------------------------
>
> Key: OFBIZ-4959
> URL: https://issues.apache.org/jira/browse/OFBIZ-4959
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Release 09.04, Release 10.04
> Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
> Reporter: Roberto Benítez Monje
> Labels: logout, security
> Original Estimate: 70,056h
> Remaining Estimate: 70,056h
>
> Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.
> It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
> {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
> public static String logout(HttpServletRequest request, HttpServletResponse response) {
> // invalidate the security group list cache
> GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
> String returnValue = "success";
> if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
> try {
> returnValue = autoLoginRemove(request, response);
> } catch (IOException e) {
> Debug.logWarning(e, "", module);
> }
> }
> // log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
> logoutFromAllSessions(userLogin);
> doBasicLogout(userLogin, request);
> return returnValue;
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OFBIZ-4959) Logout do not remove autoLogin
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420544#comment-13420544 ]
Jacques Le Roux commented on OFBIZ-4959:
----------------------------------------
It's clear enough, thanks. I will have a look when I will get a chance...
> Logout do not remove autoLogin
> ------------------------------
>
> Key: OFBIZ-4959
> URL: https://issues.apache.org/jira/browse/OFBIZ-4959
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Release 09.04, Release 10.04
> Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
> Reporter: Roberto Benítez Monje
> Labels: logout, security
> Original Estimate: 70,056h
> Remaining Estimate: 70,056h
>
> Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.
> It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
> {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
> public static String logout(HttpServletRequest request, HttpServletResponse response) {
> // invalidate the security group list cache
> GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
> String returnValue = "success";
> if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
> try {
> returnValue = autoLoginRemove(request, response);
> } catch (IOException e) {
> Debug.logWarning(e, "", module);
> }
> }
> // log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
> logoutFromAllSessions(userLogin);
> doBasicLogout(userLogin, request);
> return returnValue;
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (OFBIZ-4959) Logout do not remove autoLogin
Posted by "Roberto Benítez Monje (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Roberto Benítez Monje updated OFBIZ-4959:
-----------------------------------------
Description:
Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.
It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
{code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
public static String logout(HttpServletRequest request, HttpServletResponse response) {
// invalidate the security group list cache
GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
String returnValue = "success";
if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
try {
returnValue = autoLoginRemove(request, response);
} catch (IOException e) {
Debug.logWarning(e, "", module);
}
}
// log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
logoutFromAllSessions(userLogin);
doBasicLogout(userLogin, request);
return returnValue;
}
{code}
was:
Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.
It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
> Logout do not remove autoLogin
> ------------------------------
>
> Key: OFBIZ-4959
> URL: https://issues.apache.org/jira/browse/OFBIZ-4959
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Release 09.04, Release 10.04
> Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
> Reporter: Roberto Benítez Monje
> Labels: logout, security
> Original Estimate: 70,056h
> Remaining Estimate: 70,056h
>
> Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.
> It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
> {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
> public static String logout(HttpServletRequest request, HttpServletResponse response) {
> // invalidate the security group list cache
> GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
> String returnValue = "success";
> if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
> try {
> returnValue = autoLoginRemove(request, response);
> } catch (IOException e) {
> Debug.logWarning(e, "", module);
> }
> }
> // log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
> logoutFromAllSessions(userLogin);
> doBasicLogout(userLogin, request);
> return returnValue;
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (OFBIZ-4959) Logout do not remove autoLogin
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-4959.
----------------------------------
Resolution: Incomplete
Assignee: Jacques Le Roux
Sorry this does not make sense to me, I close
> Logout do not remove autoLogin
> ------------------------------
>
> Key: OFBIZ-4959
> URL: https://issues.apache.org/jira/browse/OFBIZ-4959
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Release 09.04, Release 10.04
> Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
> Reporter: Roberto Benítez Monje
> Assignee: Jacques Le Roux
> Labels: logout, security
> Original Estimate: 70,056h
> Remaining Estimate: 70,056h
>
> Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.
> It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
> {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
> public static String logout(HttpServletRequest request, HttpServletResponse response) {
> // invalidate the security group list cache
> GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
> String returnValue = "success";
> if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
> try {
> returnValue = autoLoginRemove(request, response);
> } catch (IOException e) {
> Debug.logWarning(e, "", module);
> }
> }
> // log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
> logoutFromAllSessions(userLogin);
> doBasicLogout(userLogin, request);
> return returnValue;
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OFBIZ-4959) Logout do not remove autoLogin
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13414433#comment-13414433 ]
Jacques Le Roux commented on OFBIZ-4959:
----------------------------------------
I don't know what you want to express or do with this issue. For instance logoutFromAllSessions does not exist in OFBiz. And why an user would have more than one session?
> Logout do not remove autoLogin
> ------------------------------
>
> Key: OFBIZ-4959
> URL: https://issues.apache.org/jira/browse/OFBIZ-4959
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Release 09.04, Release 10.04
> Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
> Reporter: Roberto Benítez Monje
> Labels: logout, security
> Original Estimate: 70,056h
> Remaining Estimate: 70,056h
>
> Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.
> It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
> {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
> public static String logout(HttpServletRequest request, HttpServletResponse response) {
> // invalidate the security group list cache
> GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
> String returnValue = "success";
> if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
> try {
> returnValue = autoLoginRemove(request, response);
> } catch (IOException e) {
> Debug.logWarning(e, "", module);
> }
> }
> // log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
> logoutFromAllSessions(userLogin);
> doBasicLogout(userLogin, request);
> return returnValue;
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira