[ 
https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16711497#comment-16711497
 ] 

Jacques Le Roux edited comment on OFBIZ-10666 at 12/6/18 4:03 PM:
------------------------------------------------------------------

Yes and it's based on the autologin cookie and that's where things get 
complicated.

I cleaned the situation with the OFBIZ-4959 and OFBIZ-10635. But browsers 
behaviours are different. That's why The Onion wrote [this 
parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860].
 For instance FF is snarky because [it does not delete expired cookies 
immediately even if you close 
FF|https://support.mozilla.org/fr/questions/983361]. So when you quickly look 
at them in the browser they are still there with a date :/. So you can't refer 
to FF for checking cookie values.

Also there are stil some inconsistencies with current behaviour. So I double 
checked that in detail and here are my conclusion.

I did well by setting {{autoLoginCookie.setMaxAge(0);}} in 
{{LoginWorker::autoLoginRemove}}. But I missed that the cookie can still be 
there after autoLoginRemove (which calls logout, important for the sequel). So 
after a logout or an autoLoginRemove, OFBiz consider it's a 1st visit and call 
autoLoginCheck which depends on the cookie value ("autoUserLoginId"). And set 
the sessionAttributes.autoName again on which the information in header depends.

The autoLogin feature improves the user's experience. During a year if  the 
user comes back s/he is logged in automatically after  her/his last visit.
But if the user is not the right one (for instance several users use the same 
machine) or if s/he decided to log out then s/he should not be logged in and 
her/his name should not appear on header.

Here is a patch that should conform the behaviour to this "specification", 
please check if it's OK with you before I commit. Note that you might encounter 
issue if you don't start from a clean state. So better to remove the JSESSIONID 
cookie for the ecommerce application before starting.

The idea is to have only one way to logout and autoLoginRemove should be used. 
Also not only rely on 1st visit processor to run autoLoginCheck but also on 
preprocessor. The later might be controversial but I did not find a better way 
to fix the current behaviour.


was (Author: jacques.le.roux):
Yes and it's based on the autologin cookie and that's where things get 
complicated.

I cleaned the situation with the OFBIZ-4959 and OFBIZ-10635. But browsers 
behaviours are different. That's why The Onion wrote [this 
parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860].
 For instance FF is snarky because [it does not delete expired cookies 
immediately even if you close 
FF|https://support.mozilla.org/fr/questions/983361]. So when you quickly look 
at them in the browser they are still there with a date :/. So you can't refer 
to FF for checking cookie values.

Also there are stil some inconsistencies with current behaviour. So I double 
checked that in detail and here are my conclusion.

I did well by setting {{autoLoginCookie.setMaxAge(0);}} in 
{{LoginWorker::autoLoginRemove}}. But I missed that the cookie can still be 
there after autoLoginRemove (which calls logout, important for the sequel). So 
after a logout or an autoLoginRemove, OFBiz consider it's a 1st visit and call 
autoLoginRemove which depends on the cookie value ("autoUserLoginId"). And set 
the sessionAttributes.autoName again on which the information in header depends.

The autoLogin feature improves the user's experience. During a year if  the 
user comes back s/he is logged in automatically after  her/his last visit.
But if the user is not the right one (for instance several users use the same 
machine) or if s/he decided to log out then s/he should not be logged in and 
her/his name should not appear on header.

Here is a patch that should conform the behaviour to this "specification", 
please check if it's OK with you before I commit. Note that you might encounter 
issue if you don't start from a clean state. So better to remove the JSESSIONID 
cookie for the ecommerce application before starting.

The idea is to have only one way to logout and autoLoginRemove should be used. 
Also not only rely on 1st visit processor to run autoLoginCheck but also on 
preprocessor. The later might be controversial but I did not find a better way 
to fix the current behaviour.

> User's name is displayed on ecommerce even after user logs out
> --------------------------------------------------------------
>
>                 Key: OFBIZ-10666
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10666
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: Trunk
>            Reporter: Arpit Mor
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, 
> 4-NotYou.png, OFBIZ-10666.patch
>
>
> Steps to regenerate:
>  # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. 
> Welcome is displayed and user's name is not displayed when URL is opened. 
> (Please refer attachment: 1-OpenURL)
>  # Login at ecommerce by clicking on login and entering Username: "admin" and 
> Password: "ofbiz". Username will be displayed after user logs in. (Please 
> refer attachment: 2-LoggedIn)
>  # Logout of ecommerce by clicking on logout. User will be logged out and 
> login link will be displayed in place of logout link, but the name of user is 
> still displayed. (Please refer attachment: 3-LoggedOut)
> Actual: Username is still displayed after user logs out
>  
> Expected: Username should not be displayed after the user logs out
>  
> Note: Similar issue also exists when the user clicks on (Not You? Click Here) 
> link. (Please refer attachment: 4-NotYou)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to