[
https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Roberto Benítez Monje updated OFBIZ-4959:
-----------------------------------------
Description:
Logout method do not disable autoLogin functionality. Instead of that it just
initializes autoLogin in session and request.
It have to be replace autoLoginCheck for autoLoginRemove inside of logout
method.
{code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
public static String logout(HttpServletRequest request, HttpServletResponse
response) {
// invalidate the security group list cache
GenericValue userLogin = (GenericValue)
request.getSession().getAttribute("userLogin");
String returnValue = "success";
if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
try {
returnValue = autoLoginRemove(request, response);
} catch (IOException e) {
Debug.logWarning(e, "", module);
}
}
// log out from all other sessions too; do this here so that it is only
done when a user explicitly logs out
logoutFromAllSessions(userLogin);
doBasicLogout(userLogin, request);
return returnValue;
}
{code}
was:
Logout method do not disable autoLogin functionality. Instead of that it just
initializes autoLogin in session and request.
It have to be replace autoLoginCheck for autoLoginRemove inside of logout
method.
> Logout do not remove autoLogin
> ------------------------------
>
> Key: OFBIZ-4959
> URL: https://issues.apache.org/jira/browse/OFBIZ-4959
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Release 09.04, Release 10.04
> Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
> Reporter: Roberto Benítez Monje
> Labels: logout, security
> Original Estimate: 70,056h
> Remaining Estimate: 70,056h
>
> Logout method do not disable autoLogin functionality. Instead of that it just
> initializes autoLogin in session and request.
> It have to be replace autoLoginCheck for autoLoginRemove inside of logout
> method.
> {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
> public static String logout(HttpServletRequest request, HttpServletResponse
> response) {
> // invalidate the security group list cache
> GenericValue userLogin = (GenericValue)
> request.getSession().getAttribute("userLogin");
> String returnValue = "success";
> if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
> try {
> returnValue = autoLoginRemove(request, response);
> } catch (IOException e) {
> Debug.logWarning(e, "", module);
> }
> }
> // log out from all other sessions too; do this here so that it is only
> done when a user explicitly logs out
> logoutFromAllSessions(userLogin);
> doBasicLogout(userLogin, request);
> return returnValue;
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
