[OFBIZ-4959] Logout do not remove autoLogin - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Release 09.04, Release 10.04
Fix Version/s: 16.11.05, 17.12.01
Component/s: ALL COMPONENTS
Labels:
- logout
- security
Environment:

Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10

Description

Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request.

It have to be replace autoLoginCheck for autoLoginRemove inside of logout method.

LoginEvents/LoginWorker.java

public static String logout(HttpServletRequest request, HttpServletResponse response) {
	// invalidate the security group list cache
	GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin");
	String returnValue = "success";
	if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) {
		try {
			returnValue = autoLoginRemove(request, response);
		} catch (IOException e) {
			Debug.logWarning(e, "", module);
		}
	}
	// log out from all other sessions too; do this here so that it is only done when a user explicitly logs out
	logoutFromAllSessions(userLogin);

	doBasicLogout(userLogin, request);

	return returnValue;
}

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OFBIZ-4959.patch
10/Feb/18 11:32
1 kB
Jacques Le Roux
OFBIZ-4959.patch
06/Feb/18 13:27
0.7 kB
Jacques Le Roux

Issue Links

is depended upon by

OFBIZ-10206 Security issue in Token Based Authentication

Closed

OFBIZ-10307 Navigate from a domain to another with automated signed in authentication

Closed

is related to

OFBIZ-10635 Correct behaviour of Autologin cookies

Closed

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Roberto Benítez Monje

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 11/Jul/12 08:08

Updated:: 02/Nov/18 15:48

Resolved:: 19/Feb/18 19:27

Time Tracking

Estimated:

70,056h

Remaining:

70,056h

Logged:

Not Specified