I had the same problem, and added this to my login class before data.setUser(user).
data.getSession().removeAttribute(AccessControlList.SESSION_KEY); It gets around the problem with the back button, where LogoutUser isn't called. Good luck, David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday February 3, 2005 9:01 AM To: Turbine Users List Subject: Antwort: invoking LoginUser twice doesn't change ACL Hello Joachim, I had the same problem. My solution was to invalidate the session on logout. >From my experience the problem shows up if you switch your login without leaving your browser. Than the session cookie still exist after logout. What I think what happens is that the session still exists, Tomcat does not generate a new one, and so you get a mixture of your old session and the new one .... It�s a minor security bug, because most people did not realy share their computer. It�s only a problem if you call a turbine application from Internet coffee, and the next guy logs into the same application you called ... My solution was to add those two lines to the LogoutAction.doPerform - Method : HttpSession hSession = data.getSession(); hSession.invalidate(); Regards Uwe Joachim Draeger <[EMAIL PROTECTED]> An 03.02.2005 12:31 Turbine Users List <[email protected]> Kopie Bitte antworten an Thema "Turbine Users invoking LoginUser twice doesn't List" change ACL <[EMAIL PROTECTED] arta.apache.org> Hello, I've set up Turbine 2.3.1. When I login and then go back to the login form without logging out, and login as another user, the username changes, but the ACL remains the same! Is it a bug or a feature? :-) To work around I did the following: ------------------------------------ package org.apache.turbine.app.M.modules.actions; import org.apache.turbine.modules.actions.LogoutUser; import org.apache.turbine.util.RunData; import org.apache.turbine.util.security.TurbineSecurityException; public class LoginUser extends org.apache.turbine.modules.actions.LoginUser { public void doPerform(RunData data) throws TurbineSecurityException { LogoutUser logout=new LogoutUser(); logout.doPerform(data); data.setMessage(""); super.doPerform(data); } } ------------------------------------- Just invoking data.setACL(null) before loging in didn't help! regards, Joachim --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
