Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-12047

Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • Release Branch 18.12, Trunk
    • 18.12.01
    • framework/webapp
    • None

    Description

      There is a session attribute called "PREVIOUS_REQUEST" used to remember and execute the previous request after a login occurs. This attribute is not removed properly when navigating away from a page without logging in.

      When navigating to a page that requires authentication the "PREVIOUS_REQUEST" attribute is saved in the session from within the LoginWorker to be called again when the login was successful through the RequestHandler. Currently, the attribute is only removed when a login occurs resulting in the previous request being stored in the session until some form of login is successfully executed.

      This behavior potentially results in navigation problems since a user is able to navigate to a page requiring authentication without logging in. An old request will be pulled from the session when a similar event occurs and the user logs in.

       

      I propose to have the RequestHandler remove the session attribute "PREVIOUS_REQUEST" after calling a request that does not require authentication. We also have to restructure the sequence of request handling to have the "targetRequestUri" handled after the security check and a possible removal of the session attribute.

       

      One problem arises with this solution, however, which should be less of an issue than the current state:

      If the login page includes a request call that is handled after the request showing the login page (for example an ajax call rendering a screen), the "PREVIOUS_REQUEST" attribute will be lost before the login is processed. To my knowledge such a case does not exist within the OFBiz environment and seems to be an edge case far less problematic than the above mentioned problem.

      Attachments

        1. RequestHandler.java.patch
          2 kB
          Olivier Heintz
        2. RequestHandler.java.patch
          1.0 kB
          Olivier Heintz
        3. RequestHandler.java.patch
          1.0 kB
          Olivier Heintz

        Activity

          People

            jleroux Jacques Le Roux
            Ingo Könemann Ingo Könemann
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: