Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-1434

Cookie not cleared after logout, Shiro session remains active

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.12.1
    • Fix Version/s: 1.13.0
    • Component/s: Core: Security: Shiro
    • Labels:
      None
    • Environment:
      OSX

      Description

      I have some files that I have stored in the resource folder, which I only want to be available for authenticated users. So I have added the following contents to my shiro.ini file:

      [main]
      authc.loginUrl = /wicket/signin
       
      [urls]
      /dist/** = authc
      

      When I am not authenticated, retrieving a page from that folder correctly brings me to Wicket. After logging in, the resource becomes available. However, when I log out, either through the TertiaryActionsPanel in Wicket, or using the logout call from the UserResource, it seems that my cookie is not cleared. I am logged out from Wicket, but I can still access the resources (until I clear my cookie on client side).

      In this case i'm trying to protect a few resources, which is a kind of ridiculous use case, but I think that this also applies for other servlet filters, which may lead to some unwanted results.

        Activity

        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit f84d8665849d61d5d0865d1748c5148b318cf94c in isis's branch refs/heads/master from Dan Haywood
        [ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=f84d866 ]

        ISIS-1434: ensures that shiro Subject is logged out when user logs out via wicket viewer or RO viewer

        This commit extends the Authenticator internal API to include a logout(...) method, called when the AuthenticationSession is closed. The AuthenticationManager#closeSession(...) is now called consistently by both the Wicket viewer and also Restful Objects viewer.

        Show
        jira-bot ASF subversion and git services added a comment - Commit f84d8665849d61d5d0865d1748c5148b318cf94c in isis's branch refs/heads/master from Dan Haywood [ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=f84d866 ] ISIS-1434 : ensures that shiro Subject is logged out when user logs out via wicket viewer or RO viewer This commit extends the Authenticator internal API to include a logout(...) method, called when the AuthenticationSession is closed. The AuthenticationManager#closeSession(...) is now called consistently by both the Wicket viewer and also Restful Objects viewer.
        Hide
        danhaywood Dan Haywood added a comment -

        Thanks for providing this example. Also, the details about using Shiro to secure resources is useful; I'll add it to our docs.

        Anyway, I took your example and initially I thought it demonstrated the issue - that after logout via wicket that the /dist/xxx resources were still available. However, if I did a force reload (ignore cache) then it took me to the signin page. This was without invalidating the shiro session.

        That said, I do think it is correct that the shiro session should be invalidated... ie SubjectUtils.getSubject().logout(). So I've gone ahead and done this.

        A note of caution though ... even with this implemented I find that I can access the /dist/xxx after logout, because the browser serves the resource from the cache. Doing a force reload correctly redirects to the signin page.

        If the resources absolutely must not be available after login, then I think a suitable cache expiry header would be required, eg decorated via a filter etc.

        Show
        danhaywood Dan Haywood added a comment - Thanks for providing this example. Also, the details about using Shiro to secure resources is useful; I'll add it to our docs. Anyway, I took your example and initially I thought it demonstrated the issue - that after logout via wicket that the /dist/xxx resources were still available. However, if I did a force reload (ignore cache) then it took me to the signin page. This was without invalidating the shiro session. That said, I do think it is correct that the shiro session should be invalidated... ie SubjectUtils.getSubject().logout(). So I've gone ahead and done this. A note of caution though ... even with this implemented I find that I can access the /dist/xxx after logout, because the browser serves the resource from the cache. Doing a force reload correctly redirects to the signin page. If the resources absolutely must not be available after login, then I think a suitable cache expiry header would be required, eg decorated via a filter etc.
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit 0d906485127c41771d85e15783c0869313a27eea in isis's branch refs/heads/master from Dan Haywood
        [ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=0d90648 ]

        ISIS-1434: changes the order in which the Shiro session is invalidated, to perform before Wicket viewer completes its own invalidation.

        The original implementation worked on jetty but not as a war file under Tomcat.

        Show
        jira-bot ASF subversion and git services added a comment - Commit 0d906485127c41771d85e15783c0869313a27eea in isis's branch refs/heads/master from Dan Haywood [ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=0d90648 ] ISIS-1434 : changes the order in which the Shiro session is invalidated, to perform before Wicket viewer completes its own invalidation. The original implementation worked on jetty but not as a war file under Tomcat.

          People

          • Assignee:
            danhaywood Dan Haywood
            Reporter:
            jwgmeligmeyling Jan-Willem Gmelig Meyling
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development