Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Incomplete
    • Affects Version/s: Release 09.04, Release 10.04
    • Fix Version/s: None
    • Component/s: ALL COMPONENTS
    • Labels:
    • Environment:

      Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10

      Description

      Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.

      It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.

      LoginEvents/LoginWorker.java
      public static String logout(HttpServletRequest request, HttpServletResponse response) {
      	// invalidate the security group list cache
      	GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
      	String returnValue = "success";
      	if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
      		try {
      			returnValue = autoLoginRemove(request, response);
      		} catch (IOException e) {
      			Debug.logWarning(e, "", module);
      		}
      	}
      	// log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
      	logoutFromAllSessions(userLogin);
      
      	doBasicLogout(userLogin, request);
      
      	return returnValue;
      }
      

        Activity

        Roberto Benítez Monje created issue -
        Roberto Benítez Monje made changes -
        Field Original Value New Value
        Description Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.

        It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.
        Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.

        It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.

        {code:title=LoginEvents/LoginWorker.java|borderStyle=solid}
        public static String logout(HttpServletRequest request, HttpServletResponse response) {
        // invalidate the security group list cache
        GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
        String returnValue = "success";
        if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
        try {
        returnValue = autoLoginRemove(request, response);
        } catch (IOException e) {
        Debug.logWarning(e, "", module);
        }
        }
        // log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
        logoutFromAllSessions(userLogin);

        doBasicLogout(userLogin, request);

        return returnValue;
        }
        {code}
        Hide
        Jacques Le Roux added a comment -

        I don't know what you want to express or do with this issue. For instance logoutFromAllSessions does not exist in OFBiz. And why an user would have more than one session?

        Show
        Jacques Le Roux added a comment - I don't know what you want to express or do with this issue. For instance logoutFromAllSessions does not exist in OFBiz. And why an user would have more than one session?
        Hide
        Roberto Benítez Monje added a comment -

        logoutFromAllSessions mabye is a method from a previous developper in my company.
        Autologin does the Cookies handling. Ofbiz never delete Cookies because autoLoginRemove is never called. I detect this behaviour because I was manipulating ofbiz to allow the user choose his home page and I faced with re-login issue. I saw request and session attributes and even the cookies.
        If a user enters in default_component and is redirected automatically to another component when He logout He isn't completely logged out. And if he enters again in default_component is logged in without insert his user and password.

        Sorry If I don't express correctly. I don't speak English very well.

        Show
        Roberto Benítez Monje added a comment - logoutFromAllSessions mabye is a method from a previous developper in my company. Autologin does the Cookies handling. Ofbiz never delete Cookies because autoLoginRemove is never called. I detect this behaviour because I was manipulating ofbiz to allow the user choose his home page and I faced with re-login issue. I saw request and session attributes and even the cookies. If a user enters in default_component and is redirected automatically to another component when He logout He isn't completely logged out. And if he enters again in default_component is logged in without insert his user and password. Sorry If I don't express correctly. I don't speak English very well.
        Hide
        Jacques Le Roux added a comment -

        It's clear enough, thanks. I will have a look when I will get a chance...

        Show
        Jacques Le Roux added a comment - It's clear enough, thanks. I will have a look when I will get a chance...
        Hide
        Jacques Le Roux added a comment -

        Sorry this does not make sense to me, I close

        Show
        Jacques Le Roux added a comment - Sorry this does not make sense to me, I close
        Jacques Le Roux made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Assignee Jacques Le Roux [ jacques.le.roux ]
        Resolution Incomplete [ 4 ]

          People

          • Assignee:
            Jacques Le Roux
            Reporter:
            Roberto Benítez Monje
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 70,056h
              70,056h
              Remaining:
              Remaining Estimate - 70,056h
              70,056h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development