[jira] [Comment Edited] (OFBIZ-4959) Logout do not remove autoLogin

[Jacques Le Roux (JIRA)]

[ 
https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16401683#comment-16401683
 ] 

Jacques Le Roux edited comment on OFBIZ-4959 at 3/19/18 10:18 AM:
--

I completed the fix in

trunk r1826938  

R17.12 r1826939

R16.11 r1826943


I used the only available (and I must say confusing) WebappInfo.getName() when
I needed the webAppName not the WebappInfoName. So this put in a new 
WebappInfo.getMountPoint() and use it in getWebappInfo

Also use LoginWorker.autoLoginSet() in different places where I missed it. In 
other words all autoUserLogin coockies are deleted on login and logout, and
an autoUserLogin cookie is created when going locally from a webapp to another,
with checkExternalLoginKey



was (Author: jacques.le.roux):
I completed the fix in

trunk r1826938  

R17.12 r1826939

R16.11 r1826943

> Logout do not remove autoLogin
> --
>
> Key: OFBIZ-4959
> URL: https://issues.apache.org/jira/browse/OFBIZ-4959
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL COMPONENTS
>Affects Versions: Release 09.04, Release 10.04
> Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
>Reporter: Roberto Benítez Monje
>Assignee: Jacques Le Roux
>Priority: Major
>  Labels: logout, security
> Fix For: 17.12.01, 16.11.05
>
> Attachments: OFBIZ-4959.patch, OFBIZ-4959.patch
>
>   Original Estimate: 70,056h
>  Remaining Estimate: 70,056h
>
> Logout method do not disable autoLogin functionality. Instead of that it just 
> initializes autoLogin in session and request.
> It have to be replace autoLoginCheck for autoLoginRemove inside of logout 
> method.
> {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
> public static String logout(HttpServletRequest request, HttpServletResponse 
> response) {
>   // invalidate the security group list cache
>   GenericValue userLogin = (GenericValue) 
> request.getSession().getAttribute("userLogin");
>   String returnValue = "success";
>   if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
>   try {
>   returnValue = autoLoginRemove(request, response);
>   } catch (IOException e) {
>   Debug.logWarning(e, "", module);
>   }
>   }
>   // log out from all other sessions too; do this here so that it is only 
> done when a user explicitly logs out
>   logoutFromAllSessions(userLogin);
>   doBasicLogout(userLogin, request);
>   return returnValue;
> }
> {code} 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Comment Edited] (OFBIZ-4959) Logout do not remove autoLogin

[Jacques Le Roux (JIRA)]

[ 
https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16369438#comment-16369438
 ] 

Jacques Le Roux edited comment on OFBIZ-4959 at 2/19/18 7:43 PM:
-

Fixed in

trunk r1824803

R17.12 r1824804

R16.11 r1824805+r1824807


was (Author: jacques.le.roux):
Fixed in

trunk r1824803

R17.12 r1824804

R16.11 r1824805

> Logout do not remove autoLogin
> --
>
> Key: OFBIZ-4959
> URL: https://issues.apache.org/jira/browse/OFBIZ-4959
> Project: OFBiz
>  Issue Type: Bug
>  Components: ALL COMPONENTS
>Affects Versions: Release 09.04, Release 10.04
> Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10
>Reporter: Roberto Benítez Monje
>Assignee: Jacques Le Roux
>Priority: Major
>  Labels: logout, security
> Fix For: 17.12.01, 16.11.05
>
> Attachments: OFBIZ-4959.patch, OFBIZ-4959.patch
>
>   Original Estimate: 70,056h
>  Remaining Estimate: 70,056h
>
> Logout method do not disable autoLogin functionality. Instead of that it just 
> initializes autoLogin in session and request.
> It have to be replace autoLoginCheck for autoLoginRemove inside of logout 
> method.
> {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
> public static String logout(HttpServletRequest request, HttpServletResponse 
> response) {
>   // invalidate the security group list cache
>   GenericValue userLogin = (GenericValue) 
> request.getSession().getAttribute("userLogin");
>   String returnValue = "success";
>   if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
>   try {
>   returnValue = autoLoginRemove(request, response);
>   } catch (IOException e) {
>   Debug.logWarning(e, "", module);
>   }
>   }
>   // log out from all other sessions too; do this here so that it is only 
> done when a user explicitly logs out
>   logoutFromAllSessions(userLogin);
>   doBasicLogout(userLogin, request);
>   return returnValue;
> }
> {code} 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)