I just checked this code and it looks really worrying to me. You have
hard wired the ecommerce component with logic into the heart of the
framework, I think we need to review the entire body of work and maybe
On Sat, Feb 10, 2018 at 2:38 PM, Jacques Le Roux
> Le 10/02/2018 à 12:33, Jacques Le Roux a écrit :
>> Almost 6 years ago OFBIZ-4959 "Logout do not remove autoLogin" was created
>> and I closed as incomplete.
>> Recently while working on OFBIZ-10206 "Security issue in Token Based
>> Authentication" which followed my work in OFBIZ-9833 "Token Based
>> Authentication" I needed a way to get the userLoginId (or userLogin) from
>> the session.
>> But, as explained in OFBIZ-10206, at this stage it was unavailable. So I
>> decided to go with autoLoginCookies. I then " remembered" OFBIZ-4959.
>> So I'd like to commit the patch I provided at OFBIZ-4959. But before that
>> I want to discuss about autoLoginCookies and the feature to be sure we are
>> all on the same field.
>> The auto login feature is used in ecommerce applications (ie OOTB
>> ecommerce and ecomseo) to welcome an user when s/he gets back. It does not
>> really log the user in but eases the login process. From the code, the same
>> feature exists in the webpos, I did not check.
>> AutoLoginCookies are also generated for all applications, but are not used
>> for the auto login feature like in ecommerce applications. It can be
>> nevertheless useful as proves OFBIZ-10206 "Security issue in Token Based
>> Authentication". But for OFBIZ-10206 and security in general it's better to
>> remove the autoLoginCookies of the other applications (ie no ecommerce and
>> webpos) when the user logout. Of course if the user quits the session w/o
>> login out the autoLoginCookies remains so it's best to start with a clean
>> state and remove the autoLoginCookies at start.
>> Without negative opinions I'll commit the OFBIZ-4959.patch in 1 week.
> Forgot to say that the autoLoginCookies have a time to live of 1 year.