[
https://issues.apache.org/jira/browse/JSEC-57?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12671473#action_12671473
]
Les Hazlewood commented on JSEC-57:
-----------------------------------
I think an appropriate solution for this issue is to set a request attribute
that indicates the user has called logout during the request, e.g.
IS_LOGGED_OUT key, Boolean object as the value. Both the WebRememberMeManager
and the JSecurityHttpServletRequest would check for the same attribute to alter
logic for rememberMe and getUserName, respectively.
I think getUserName should return null after a logout, instead of creating a
new Subject and Session which would result otherwise. I think an end user has
filed another issue recently (JSEC-58?) that is related to this, which causes a
new session to be created unnecessarily.
> After logout() a getSubject() call still honors remember me
> -----------------------------------------------------------
>
> Key: JSEC-57
> URL: https://issues.apache.org/jira/browse/JSEC-57
> Project: JSecurity
> Issue Type: Bug
> Components: Subject
> Affects Versions: 0.9
> Reporter: Jeremy Haile
> Fix For: 1.0
>
> Attachments: WebRememberMeManager.java.forgetIdentity.JSEC-57.patch
>
>
> This cropped up for me because Spring's FrameworkServlet calls
> request.getUserName() by default, which under the hood will call JSecurity's
> getSubject(). This causes a new subject to be created that honors the
> remember me cookie. Instead - this new subject should be created without a
> remember me cookie being honored.
> One way we could work around this problem is by setting a request attribute
> when you logout that tells the RememberMeManager that it shouldn't honor the
> remember me cookie for the remainder of this request.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
