[ https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Roberto Benítez Monje updated OFBIZ-4959: ----------------------------------------- Description: Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request. It have to be replace autoLoginCheck for autoLoginRemove inside of logout method. {code:title=LoginEvents/LoginWorker.java|borderStyle=solid} public static String logout(HttpServletRequest request, HttpServletResponse response) { // invalidate the security group list cache GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin"); String returnValue = "success"; if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) { try { returnValue = autoLoginRemove(request, response); } catch (IOException e) { Debug.logWarning(e, "", module); } } // log out from all other sessions too; do this here so that it is only done when a user explicitly logs out logoutFromAllSessions(userLogin); doBasicLogout(userLogin, request); return returnValue; } {code} was: Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request. It have to be replace autoLoginCheck for autoLoginRemove inside of logout method. > Logout do not remove autoLogin > ------------------------------ > > Key: OFBIZ-4959 > URL: https://issues.apache.org/jira/browse/OFBIZ-4959 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS > Affects Versions: Release 09.04, Release 10.04 > Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10 > Reporter: Roberto Benítez Monje > Labels: logout, security > Original Estimate: 70,056h > Remaining Estimate: 70,056h > > Logout method do not disable autoLogin functionality. Instead of that it just > initializes autoLogin in session and request. > It have to be replace autoLoginCheck for autoLoginRemove inside of logout > method. > {code:title=LoginEvents/LoginWorker.java|borderStyle=solid} > public static String logout(HttpServletRequest request, HttpServletResponse > response) { > // invalidate the security group list cache > GenericValue userLogin = (GenericValue) > request.getSession().getAttribute("userLogin"); > String returnValue = "success"; > if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) { > try { > returnValue = autoLoginRemove(request, response); > } catch (IOException e) { > Debug.logWarning(e, "", module); > } > } > // log out from all other sessions too; do this here so that it is only > done when a user explicitly logs out > logoutFromAllSessions(userLogin); > doBasicLogout(userLogin, request); > return returnValue; > } > {code} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira