Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-12047

Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages



    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • Release Branch 18.12, Trunk
    • 18.12.01
    • framework/webapp
    • None


      There is a session attribute called "PREVIOUS_REQUEST" used to remember and execute the previous request after a login occurs. This attribute is not removed properly when navigating away from a page without logging in.

      When navigating to a page that requires authentication the "PREVIOUS_REQUEST" attribute is saved in the session from within the LoginWorker to be called again when the login was successful through the RequestHandler. Currently, the attribute is only removed when a login occurs resulting in the previous request being stored in the session until some form of login is successfully executed.

      This behavior potentially results in navigation problems since a user is able to navigate to a page requiring authentication without logging in. An old request will be pulled from the session when a similar event occurs and the user logs in.


      I propose to have the RequestHandler remove the session attribute "PREVIOUS_REQUEST" after calling a request that does not require authentication. We also have to restructure the sequence of request handling to have the "targetRequestUri" handled after the security check and a possible removal of the session attribute.


      One problem arises with this solution, however, which should be less of an issue than the current state:

      If the login page includes a request call that is handled after the request showing the login page (for example an ajax call rendering a screen), the "PREVIOUS_REQUEST" attribute will be lost before the login is processed. To my knowledge such a case does not exist within the OFBiz environment and seems to be an edge case far less problematic than the above mentioned problem.


        1. RequestHandler.java.patch
          1.0 kB
          Olivier Heintz
        2. RequestHandler.java.patch
          1.0 kB
          Olivier Heintz
        3. RequestHandler.java.patch
          2 kB
          Olivier Heintz



            jleroux Jacques Le Roux
            Ingo Könemann Ingo Richter
            1 Vote for this issue
            5 Start watching this issue