[OpenbravoERP-commits] devel/pi: fixed bug 30031: row created in ad_session for same co...

[hg]

details:   https://code.openbravo.com/erp/devel/pi/rev/624c1fa5299c
changeset: 32234:624c1fa5299c
user:      Asier Lostalé <asier.lostale <at> openbravo.com>
date:      Tue May 30 15:17:57 2017 +0200
summary:   fixed bug 30031: row created in ad_session for same cookie after erp 
logout

  Logout navigates to root page (index.jsp) which in case of not logged in,
  redirects to login page.

  By default jsp pages creates a HttpSession if it does not exist, so finally
  we got a HttpSession + an AD_Session entry.

  Fixed by preventing session creation in index.jsp, and redirecting to login
  page if no session detected.

diffstat:

 src/index.jsp                                               |  25 ++++++++----
 src/org/openbravo/authentication/AuthenticationManager.java |   2 +-
 2 files changed, 17 insertions(+), 10 deletions(-)

diffs (78 lines):

diff -r 816a40caaba9 -r 624c1fa5299c src/index.jsp
--- a/src/index.jsp     Thu May 25 17:01:51 2017 -0400
+++ b/src/index.jsp     Tue May 30 15:17:57 2017 +0200
@@ -24,6 +24,7 @@
 <%@ page 
import="org.openbravo.erpCommon.obps.ActivationKey.LicenseRestriction" %>
 <%@ page 
import="org.openbravo.client.application.window.ApplicationDictionaryCachedStructures"%>
 <%@ page contentType="text/html; charset=UTF-8" %>
+<%@ page session="false" %>
 <%
   /*
  *************************************************************************
@@ -46,19 +47,25 @@
 
 Logger log = 
Logger.getLogger(org.openbravo.authentication.AuthenticationManager.class); 
 
+HttpSession currentSession = request.getSession(false);
+
 AuthenticationManager authManager = 
AuthenticationManager.getAuthenticationManager(this);
+if (currentSession == null) {
+  response.sendRedirect(authManager.getLoginURL(request));
+  return;
+}
 
 String userId = authManager.authenticate(request, response);
 
-if(userId == null){
+if (userId == null) {
   return;
 }
 
 OBContext.setAdminMode(false);
 String sessionId = null;
 try {
-  sessionId = (String) session.getAttribute("#AD_SESSION_ID");
-  if (sessionId != null && !"".equals(sessionId) && 
!"Y".equals(session.getAttribute("forceLogin"))) {
+  sessionId = (String) currentSession.getAttribute("#AD_SESSION_ID");
+  if (sessionId != null && !"".equals(sessionId) && 
!"Y".equals(currentSession.getAttribute("forceLogin"))) {
     org.openbravo.model.ad.access.Session dbSession = 
OBDal.getInstance().get(org.openbravo.model.ad.access.Session.class, sessionId);
     String currentSessionType = dbSession.getLoginStatus();
 
@@ -75,7 +82,7 @@
         OBError errMsg = new OBError();
         
errMsg.setTitle(OBMessageUtils.messageBD("NUMBER_OF_CONCURRENT_USERS_REACHED_TITLE",
 false, true));
         
errMsg.setMessage(OBMessageUtils.messageBD("NUMBER_OF_CONCURRENT_USERS_REACHED",
 false, true));
-        session.setAttribute("LOGINERRORMSG", errMsg);
+        currentSession.setAttribute("LOGINERRORMSG", errMsg);
 
         response.sendRedirect(authManager.getLoginURL(request));
         return;
@@ -266,11 +273,11 @@
   document.body.removeChild(document.getElementById('OBLoadingDiv'));
   OB.GlobalHiddenForm = document.forms.OBGlobalHiddenForm;
 <%
-  if (session.getAttribute("STARTUP-MESSAGE") != null) {
-    String text = (String) session.getAttribute("STARTUP-MESSAGE");
-    String title = (String) session.getAttribute("STARTUP-MESSAGE-TITLE");
-    session.removeAttribute("STARTUP-MESSAGE");
-    session.removeAttribute("STARTUP-MESSAGE-TITLE");
+  if (currentSession.getAttribute("STARTUP-MESSAGE") != null) {
+    String text = (String) currentSession.getAttribute("STARTUP-MESSAGE");
+    String title = (String) 
currentSession.getAttribute("STARTUP-MESSAGE-TITLE");
+    currentSession.removeAttribute("STARTUP-MESSAGE");
+    currentSession.removeAttribute("STARTUP-MESSAGE-TITLE");
 %>
   isc.say('<%=text%>', null, {title: '<%=title%>'});
 <%
diff -r 816a40caaba9 -r 624c1fa5299c 
src/org/openbravo/authentication/AuthenticationManager.java
--- a/src/org/openbravo/authentication/AuthenticationManager.java       Thu May 
25 17:01:51 2017 -0400
+++ b/src/org/openbravo/authentication/AuthenticationManager.java       Tue May 
30 15:17:57 2017 +0200
@@ -199,7 +199,7 @@
     // It just need to set an the attribute loginURL in the request
     final String customLoginURL = (String) request.getAttribute("loginURL");
 
-    return localAdress
+    return HttpBaseUtils.getLocalAddress(request)
         + (customLoginURL == null || "".equals(customLoginURL) ? 
defaultServletUrl : customLoginURL);
   }
 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits