Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Eclipse Scout » Invalidate Browser/RAP Session
Invalidate Browser/RAP Session [message #1656809] Sat, 07 March 2015 12:51 Go to next message
Eclipse UserFriend
Hello,

I tried to logout or invalidate the client session with this piece of code (as used in the File->Exit menu):
ClientJob.getCurrentSession(ClientSession.class).stopSession();


This redirects me to the http://localhost:8082/res/logout.html page. But it seems that the session data is not invalidated/deleted.

Because when I call http://localhost:8082/web afterwards, I don't get prompted to enter username and password again. It seems that not all of the necessary data is deleted on the stopSession() call.

Is there a way to delete every session data, so the user has to enter the credentials once again?

Thanks,

Peter

[Updated on: Sat, 07 March 2015 12:52] by Moderator

Re: Invalidate Browser/RAP Session [message #1665609 is a reply to message #1656809] Wed, 11 March 2015 06:02 Go to previous messageGo to next message
Eclipse UserFriend
I really do not know this area well, but I guess that you will find some help in those threads:

* Filters & Services live update
* Logout fails
* User (in)activity detection and auto-logout

Those threads are old, but I think that they will help you. Do not hesitate to continue the discussion if you do not find the solution there.

,
Re: Invalidate Browser/RAP Session [message #1669010 is a reply to message #1665609] Thu, 12 March 2015 14:44 Go to previous messageGo to next message
Eclipse UserFriend
Hi,

i took a look at the links and at org.eclipse.scout.rt.ui.rap.servletfilter.LogoutFilter . The logout filter gets called a dozen of times each time a request is sent... And in the logoutfilter there is even a small code passage that says:

if (session != null) {
      session.invalidate();
      LOG.info("Logout successful.");
    }


Either the logout request needs a special parameter and value or this code is never reached at all....

Peter
Re: Invalidate Browser/RAP Session [message #1672789 is a reply to message #1669010] Sat, 14 March 2015 00:12 Go to previous messageGo to next message
Eclipse UserFriend
Hello there,

I think this issue is easy to reproduce. Just create an empty standard project (I chose outlinebase with a standardoutline), activate BasicSecurityFilter and start the application in a browser. Login, and the goto File->Exit.

Then just open localhost:8082/web once again.

My assumption would be, to be asked again for the credientials. But that's not the case.

Regards,

Peter
Re: Invalidate Browser/RAP Session [message #1695003 is a reply to message #1672789] Mon, 11 May 2015 06:36 Go to previous messageGo to next message
Eclipse UserFriend
Hi.

I got the same problem but with a LDAP authenticator. And I also tried with the BasicSecurityFilter and it doesn't work either, the credentials are still there after quitting.

It seems logical to invalidate the session when calling the Quit menu from the RAP UI. I am using the RAP Development configuration, from the Scout workbench.

The LogoutFilter is apparently called for all user actions. Now it is really used when the 'doLogout' parameter is given, which is the case when the user clicks on the Quit menu.

But after, there must be an additional parameter 'doit'.
Firstly, the filter is called without 'doit' parameter.
Then the filter is called again with doit=true and session.invalidate() is called.
BUT this does not work, when the /web URL is called the used is still logged on !

Even if I remove the session cookie from the browser the user is still auto-logged in !
Actually if I remove the session cookie during a session, I just get a message about server time-out, and a new session is created without asking for credentials.

In the LDAP authenticator, I see that the login() method is called, with the username and password, without asking the user. The credentials are taken from the headers of the request ('Authorization').

So actually the session IS invalidated at some point, but the authorization information is still present in the request headers when the authenticator is called.
And a new session is opened, with this cached authorisation data, as soon as the logout page is called!

I am lost here...

What can I do to clear this header ???

Thank you!

[Updated on: Mon, 11 May 2015 08:27] by Moderator

Re: Invalidate Browser/RAP Session [message #1695040 is a reply to message #1695003] Mon, 11 May 2015 10:25 Go to previous message
Eclipse UserFriend
Ok obviously that was because the LDAP authenticator was actually using the Basic authentication. In this case the browser will keep the credentials till it is closed.

[Updated on: Thu, 14 May 2015 02:37] by Moderator

Previous Topic:Outlines in Mobile Version
Next Topic:Mocking the SharedVariablesMap of the ClientSession in UnitTests
Goto Forum:
  


Current Time: Sun Jul 13 16:37:02 EDT 2025

Powered by FUDForum. Page generated in 0.24242 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly