I just checked this code and it looks really worrying to me. You have hard wired the ecommerce component with logic into the heart of the framework, I think we need to review the entire body of work and maybe revert it.
On Sat, Feb 10, 2018 at 2:38 PM, Jacques Le Roux <jacques.le.r...@les7arts.com> wrote: > Le 10/02/2018 à 12:33, Jacques Le Roux a écrit : >> >> Hi, >> >> Almost 6 years ago OFBIZ-4959 "Logout do not remove autoLogin" was created >> and I closed as incomplete. >> >> Recently while working on OFBIZ-10206 "Security issue in Token Based >> Authentication" which followed my work in OFBIZ-9833 "Token Based >> Authentication" I needed a way to get the userLoginId (or userLogin) from >> the session. >> But, as explained in OFBIZ-10206, at this stage it was unavailable. So I >> decided to go with autoLoginCookies. I then " remembered" OFBIZ-4959. >> >> So I'd like to commit the patch I provided at OFBIZ-4959. But before that >> I want to discuss about autoLoginCookies and the feature to be sure we are >> all on the same field. >> >> The auto login feature is used in ecommerce applications (ie OOTB >> ecommerce and ecomseo) to welcome an user when s/he gets back. It does not >> really log the user in but eases the login process. From the code, the same >> feature exists in the webpos, I did not check. >> >> AutoLoginCookies are also generated for all applications, but are not used >> for the auto login feature like in ecommerce applications. It can be >> nevertheless useful as proves OFBIZ-10206 "Security issue in Token Based >> Authentication". But for OFBIZ-10206 and security in general it's better to >> remove the autoLoginCookies of the other applications (ie no ecommerce and >> webpos) when the user logout. Of course if the user quits the session w/o >> login out the autoLoginCookies remains so it's best to start with a clean >> state and remove the autoLoginCookies at start. >> >> Without negative opinions I'll commit the OFBIZ-4959.patch in 1 week. >> >> Jacques >> >> > Forgot to say that the autoLoginCookies have a time to live of 1 year. > > Jacques >
