[jira] Commented: (JS2-712) Create new servlet session upon login (configurable)

Mon, 29 Sep 2008 07:54:08 -0700 

    [ 
https://issues.apache.org/jira/browse/JS2-712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635398#action_12635398
 ] 

Aaron Evans commented on JS2-712:
---------------------------------

I tried this out and it seems to do what I want, so thanks very much.  Sorry to 
take so long to actually use a feature that I requested!

One question though:

In the LoginProxyServlet, you redirect to:

"/login/redirector?token=" + token.getToken() where the token value is the 
username-timestamp.

Is this token request parameter used later on in the chain? It doesn't seem to 
affect the behavior of the authentication mechanism or the security valve.

The reason I ask is if it is informational only, I'd suggest removing it.  In 
my case, it stays visible for a second or two while our dashboard loads and it 
just seems weird to see the username in the URL. 

Anyhow, obviously not a big deal provided it isn't a security issue (and I'm 
pretty sure it is not since I tried doing some basic URL manipulation).

Anyhow, thanks again.

-aaron

> Create new servlet session upon login (configurable)
> ----------------------------------------------------
>
>                 Key: JS2-712
>                 URL: https://issues.apache.org/jira/browse/JS2-712
>             Project: Jetspeed 2
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 2.1.2
>            Reporter: David Sean Taylor
>            Assignee: David Sean Taylor
>             Fix For: 2.1.2
>
>
> Create new servlet session upon login. In 2.1, the guest session is continued 
> when the user authenticates, which is a valid use-case such as an e-commerce 
> portal which allows users to delay their login but still create a shopping 
> cart before logging in, and then carrying over the session state to the 
> logged user. This enhancement will make the "creation of new session event" 
> configurable in the Spring configuration. The default behavior will still be 
> to not create a new session.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to