Hi, I would say, this is a new bug. IMO a timed-out cookie should actually be deleted by the Form authentication handler and the request should proceed as if it would not be authenticated.
Another solution would be to recognize the timeout and force login again; which would also be the task of the Form authentication handler. What would be the right thing to do ? Should this be configurable ? Regards Felix On 27.07.2010 23:42, Mike Moulton wrote: > I'm experiencing a potential problem with formauth in the latest trunk of > sling (r979875) that I wanted to check to see if this is now the intended > behavior with all the recent auth changes, or is a newly introduced bug. > > Here is my scenario: > > - Start up the standalone sling. > - Install the form auth bundle. > - Goto: http://localhost:8080/index.html - page should render > - Goto: http://localhost:8080/system/sling/form/login - login > - Goto: http://localhost:8080/index.html - page should still render > - Wait for session cookie to timeout (I lowered the timeout to 1 min for my > testing) > - Refresh: http://localhost:8080/index.html - page will redirect to login form > > Once the cookie times out I can no longer get to any resource (regardless of > ACL's on the resource) without either logging back in or deleting the cookie > from my browser. This effectively locks me out of the repo and prevents the > user from returning to an anonymous user state. > > Is this the intended behavior?
