[
https://issues.apache.org/jira/browse/OFBIZ-6111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15076677#comment-15076677
]
Scott Gray commented on OFBIZ-6111:
-----------------------------------
After a closer look this morning, it appears that the session is dropped
because it was created during an HTTPS request (logout) and is then passed to a
unsecure HTTP request in the URL. Tomcat uses the session for the unsecure
request but (correctly) it won't send it back as an unsecure session cookie.
IMO we shouldn't be passing a secure session ID to an unsecure request.
In RequestHandler.makeLink(HttpServletRequest, HttpServletResponse, String,
boolean, boolean, boolean) we have the following code:
{code}
// if this isn't a secure page, but we made a secure URL, make sure
we manually add the jsessionid since the response.encodeURL won't do that
if (!request.isSecure() && didFullSecure) {
forceManualJsessionid = true;
}
// if this is a secure page, but we made a standard URL, make sure
we manually add the jsessionid since the response.encodeURL won't do that
if (request.isSecure() && didFullStandard) {
forceManualJsessionid = true;
}
{code}
But I would argue that in both of the above cases, the reason that
response.encodeURL won't include the jsessionid is because it isn't safe to do
so from a security point of view. In both cases you've got the potential for
session hijacking because either a secure cookie id has been passed in plain
text or an unsecure session id will be used in place of a secure one. I think
we should remove the logic relating to the forceManualJsessionid variable.
> Strange Behaviour of the eCommerce Login Link
> ---------------------------------------------
>
> Key: OFBIZ-6111
> URL: https://issues.apache.org/jira/browse/OFBIZ-6111
> Project: OFBiz
> Issue Type: Bug
> Components: specialpurpose/ecommerce
> Affects Versions: Release Branch 12.04, Release Branch 13.07, Trunk
> Reporter: Forrest Rae
> Assignee: Arun Patidar
> Priority: Trivial
> Attachments: OFBIZ-6111.patch, OFBIZ-6111.patch
>
>
> I've noticed some strange behaviour with the Login link in the eCommerce
> application. If you're visit the Login link from "main", you're redirected
> back to the Login view even after logging in:
> 1) Visit http://demo-stable-ofbiz.apache.org/ecommerce/control/main
> 2) Click "Login" in the upper left
> 3) Login as "DemoCustomer" with a password of "ofbiz"
> 4) Notice that you're at a new URL, logged in, but the login form is redrawn.
> Compare this with how it's supposed to work:
> 1) Logout
> 2) Visit http://demo-stable-ofbiz.apache.org/ecommerce/tiny-gismo-GZ-1000-p
> 3) Click "Login" in the upper left
> 4) Login as "DemoCustomer" with a password of "ofbiz"
> 5) Notice that you're at a new URL, but the product page is redrawn correctly.
> It's just really strange behaviour, quite hard to track down, and I can't
> really find a root cause.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
