Invalidate Browser/RAP Session [message #1656809] |
Sat, 07 March 2015 17:51 |
|
Hello,
I tried to logout or invalidate the client session with this piece of code (as used in the File->Exit menu):
ClientJob.getCurrentSession(ClientSession.class).stopSession();
This redirects me to the http://localhost:8082/res/logout.html page. But it seems that the session data is not invalidated/deleted.
Because when I call http://localhost:8082/web afterwards, I don't get prompted to enter username and password again. It seems that not all of the necessary data is deleted on the stopSession() call.
Is there a way to delete every session data, so the user has to enter the credentials once again?
Thanks,
Peter
[Updated on: Sat, 07 March 2015 17:52] Report message to a moderator
|
|
|
|
Re: Invalidate Browser/RAP Session [message #1669010 is a reply to message #1665609] |
Thu, 12 March 2015 18:44 |
|
Hi,
i took a look at the links and at org.eclipse.scout.rt.ui.rap.servletfilter.LogoutFilter . The logout filter gets called a dozen of times each time a request is sent... And in the logoutfilter there is even a small code passage that says:
if (session != null) {
session.invalidate();
LOG.info("Logout successful.");
}
Either the logout request needs a special parameter and value or this code is never reached at all....
Peter
|
|
|
Re: Invalidate Browser/RAP Session [message #1672789 is a reply to message #1669010] |
Sat, 14 March 2015 04:12 |
|
Hello there,
I think this issue is easy to reproduce. Just create an empty standard project (I chose outlinebase with a standardoutline), activate BasicSecurityFilter and start the application in a browser. Login, and the goto File->Exit.
Then just open localhost:8082/web once again.
My assumption would be, to be asked again for the credientials. But that's not the case.
Regards,
Peter
|
|
|
Re: Invalidate Browser/RAP Session [message #1695003 is a reply to message #1672789] |
Mon, 11 May 2015 10:36 |
Michel R Messages: 46 Registered: April 2015 |
Member |
|
|
Hi.
I got the same problem but with a LDAP authenticator. And I also tried with the BasicSecurityFilter and it doesn't work either, the credentials are still there after quitting.
It seems logical to invalidate the session when calling the Quit menu from the RAP UI. I am using the RAP Development configuration, from the Scout workbench.
The LogoutFilter is apparently called for all user actions. Now it is really used when the 'doLogout' parameter is given, which is the case when the user clicks on the Quit menu.
But after, there must be an additional parameter 'doit'.
Firstly, the filter is called without 'doit' parameter.
Then the filter is called again with doit=true and session.invalidate() is called.
BUT this does not work, when the /web URL is called the used is still logged on !
Even if I remove the session cookie from the browser the user is still auto-logged in !
Actually if I remove the session cookie during a session, I just get a message about server time-out, and a new session is created without asking for credentials.
In the LDAP authenticator, I see that the login() method is called, with the username and password, without asking the user. The credentials are taken from the headers of the request ('Authorization').
So actually the session IS invalidated at some point, but the authorization information is still present in the request headers when the authenticator is called.
And a new session is opened, with this cached authorisation data, as soon as the logout page is called!
I am lost here...
What can I do to clear this header ???
Thank you!
[Updated on: Mon, 11 May 2015 12:27] Report message to a moderator
|
|
|
|
Powered by
FUDForum. Page generated in 0.04129 seconds