[
https://issues.apache.org/jira/browse/OFBIZ-12047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17283636#comment-17283636
]
Olivier Heintz commented on OFBIZ-12047:
----------------------------------------
After a strange behavior in vueJs components I have checked a little more.
In my point of view (but clearly I have not an understanding of RequestHandler
and login java process) there are already a lot of hardcoded request name
("checkLogin" ,"ajaxCheckLogin", ...) and it's possible to test with
equals("login") not contain, it seems more secure.
If we want to manage all case, it will be necessary to add not
equals("SetTimeZoneFromBrowser") too but it's necessary in a very specifics
case, so I prefer to forget this case.
so in the new patch, the only modification is change from path.contain("login")
to requestUri.equal("login")
[^RequestHandler.java.patch]
> Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages
> -----------------------------------------------------------------------
>
> Key: OFBIZ-12047
> URL: https://issues.apache.org/jira/browse/OFBIZ-12047
> Project: OFBiz
> Issue Type: Bug
> Components: framework/webapp
> Affects Versions: Release Branch 18.12, Trunk
> Reporter: Ingo Könemann
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 18.12.01, Upcoming Branch
>
> Attachments: RequestHandler.java.patch, RequestHandler.java.patch
>
>
> There is a session attribute called "_PREVIOUS_REQUEST_" used to remember and
> execute the previous request after a login occurs. This attribute is not
> removed properly when navigating away from a page without logging in.
> When navigating to a page that requires authentication the
> "_PREVIOUS_REQUEST_" attribute is saved in the session from within the
> LoginWorker to be called again when the login was successful through the
> RequestHandler. Currently, the attribute is only removed when a login occurs
> resulting in the previous request being stored in the session until some form
> of login is successfully executed.
> This behavior potentially results in navigation problems since a user is able
> to navigate to a page requiring authentication without logging in. An old
> request will be pulled from the session when a similar event occurs and the
> user logs in.
>
> I propose to have the RequestHandler remove the session attribute
> "_PREVIOUS_REQUEST_" after calling a request that does not require
> authentication. We also have to restructure the sequence of request handling
> to have the "targetRequestUri" handled after the security check and a
> possible removal of the session attribute.
>
> One problem arises with this solution, however, which should be less of an
> issue than the current state:
> If the login page includes a request call that is handled after the request
> showing the login page (for example an ajax call rendering a screen), the
> "_PREVIOUS_REQUEST_" attribute will be lost before the login is processed. To
> my knowledge such a case does not exist within the OFBiz environment and
> seems to be an edge case far less problematic than the above mentioned
> problem.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
