[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16743633#comment-16743633 ] Deepak Nigam edited comment on OFBIZ-10666 at 1/16/19 5:35 AM: --- Thanks for sharing "[the Onion parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860];, [~jacques.le.roux]. It is quite interesting, however difficult to grasp in first few readings. ;) was (Author: deepak.nigam): Thanks for sharing "[the Onion parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860];. It is quite interesting, however difficult to grasp in first few readings. ;) > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch, OFBiz-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741938#comment-16741938 ] Jacques Le Roux edited comment on OFBIZ-10666 at 1/14/19 1:56 PM: -- BTW Deepak, if you did not read it already, I think you should like [the Onion parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860] I linked to above. It takes little experiences with cookies, login, logout and SSO to really appreciate it. The more I work on these subjects the more I understand why they wrote it ;) was (Author: jacques.le.roux): BTW Deepak, if you did not read it already, I think you should appreciate [the Onion parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860] I linked to above. It takes little experiences with cookies, login, logout and SSO to really appreciate it. The more I work on these subjects the more I understand why they wrote it ;) > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch, OFBiz-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16742083#comment-16742083 ] Jacques Le Roux edited comment on OFBIZ-10666 at 1/14/19 1:57 PM: -- You nailed it, thanks Deepak! Your patch is in trunk r1851247 R18 r1851248 R17 r1851249 R16 r1851250 (editing in "Visual" mode adds useless lines :() was (Author: jacques.le.roux): You nailed it, thanks Deepak! Your patch is in trunk r1851247 R18 r1851248 R17 r1851249 R16 r1851250 > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch, OFBiz-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741938#comment-16741938 ] Jacques Le Roux edited comment on OFBIZ-10666 at 1/14/19 1:56 PM: -- BTW Deepak, if you did not read it already, I think you should appreciate [the Onion parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860] I linked to above. It takes little experiences with cookies, login, logout and SSO to really appreciate it. The more I work on these subjects the more I understand why they wrote it ;) was (Author: jacques.le.roux): BTW Deepak, if you did not read it already, I think you should better appreciate [the Onion parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860] I linked to above. It takes little experiences with cookies, login, logout and SSO to really appreciate it. The more I work on these subjects the more I understand why they wrote it ;) > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch, OFBiz-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741761#comment-16741761 ] Deepak Nigam edited comment on OFBIZ-10666 at 1/14/19 4:56 AM: --- Thanks for the detailed research [~jacques.le.roux]. I have already tried by removing getMaxAge() from LoginWorker.getAutoUserLoginId() and setMaxAge(0) in the method LoginWorker.autoLoginRemove(). Even after setting the max age 0 I was getting the auto-login cookie from the cookies array inside LoginWorker.getAutoUserLoginId() method. It means the above statement "If a cookie has expired, the browser does not send that particular cookie to the server with the page request; instead, the expired cookie is deleted." is not 100% correct. So, if we remove the getMaxAge() check from the condition, then the issue reported in this ticket will come again. was (Author: deepak.nigam): Thanks for the detailed research [~jacques.le.roux]. I have already tried by removing getMaxAge() from LoginWorker.getAutoUserLoginId() and setMaxAge(0). Even after setting the max age 0 I was getting the auto-login cookie from the cookies array inside LoginWorker.getAutoUserLoginId() method. It means the above statement "If a cookie has expired, the browser does not send that particular cookie to the server with the page request; instead, the expired cookie is deleted." is not 100% correct. So, if we remove the getMaxAge() check from the condition, then the issue reported in this ticket will come again. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06 > > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16741530#comment-16741530 ] Jacques Le Roux edited comment on OFBIZ-10666 at 1/13/19 11:41 AM: --- Actually we need more than that, and it's still not enough. According to [https://www.google.com/search?q=java+get+rid+of+a+cookie=UTF-8] , we need: {noformat} Index: framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java === --- framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (revision 1851194) +++ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (working copy) @@ -975,8 +975,7 @@ } if (cookies != null) { for (Cookie cookie: cookies) { -if (cookie.getName().equals(getAutoLoginCookieName(request)) -&& cookie.getMaxAge() > 0) { +if (cookie.getName().equals(getAutoLoginCookieName(request))) { autoUserLoginId = cookie.getValue(); break; } @@ -1012,7 +1011,6 @@ if (autoUserLogin != null){ return "success"; } - return autoLoginCheck(delegator, session, getAutoUserLoginId(request)); } @@ -1052,7 +1050,7 @@ // remove the cookie if (userLogin != null) { -Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); +Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), ""); autoLoginCookie.setMaxAge(0); autoLoginCookie.setPath("/"); response.addCookie(autoLoginCookie); {noformat} But then we still have an issue with {noformat} private static String autoLoginCheck(Delegator delegator, HttpSession session, String autoUserLoginId) { [...] if (person != null) { session.setAttribute("autoName", person.getString("firstName") + " " + person.getString("lastName")); } else if (group != null) { session.setAttribute("autoName", group.getString("groupName")); } {noformat} Which systematically resurrects autoName. BTW we have 2 other occurences of {{setMaxAge(0)}} and only one use the right strategy (using null instead of an empty String, I guess both work). was (Author: jacques.le.roux): Actually we need more than that, and it's still not enough. According to [https://www.google.com/search?q=java+get+rid+of+a+cookie=UTF-8] , we need: {noformat} Index: framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java === --- framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (revision 1851194) +++ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (working copy) @@ -975,8 +975,7 @@ } if (cookies != null) { for (Cookie cookie: cookies) { -if (cookie.getName().equals(getAutoLoginCookieName(request)) -&& cookie.getMaxAge() > 0) { +if (cookie.getName().equals(getAutoLoginCookieName(request))) { autoUserLoginId = cookie.getValue(); break; } @@ -1012,7 +1011,6 @@ if (autoUserLogin != null){ return "success"; } - return autoLoginCheck(delegator, session, getAutoUserLoginId(request)); } @@ -1052,7 +1050,7 @@ // remove the cookie if (userLogin != null) { -Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); +Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), ""); autoLoginCookie.setMaxAge(0); autoLoginCookie.setPath("/"); response.addCookie(autoLoginCookie); {noformat} But then we still have an issue with {noformat} private static String autoLoginCheck(Delegator delegator, HttpSession session, String autoUserLoginId) { [...] if (person != null) { session.setAttribute("autoName", person.getString("firstName") + " " + person.getString("lastName")); } else if (group != null) { session.setAttribute("autoName", group.getString("groupName")); } {noformat} Which systematically resurrects autoName. I begin to wonder if we should not rewrite the whole and use rather another not cookie based strategy like exposed at [https://stackoverflow.com/questions/2185951/how-do-i-keep-a-user-logged-into-my-site-for-months] (1st answer, Java 8). It's a bit early to tell, but I already spent
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16740169#comment-16740169 ] Jacques Le Roux edited comment on OFBIZ-10666 at 1/11/19 2:36 PM: -- As per the discussion above, if the user does logout intentionally, then the autoLogin cookie should not be used otherwise it should be used. But autoLogin cookie is not getting used in any of the cases. Consider the below code snippet from LoginWorker.getAutoUserLoginId() method: {code:java} if (cookie.getName().equals(getAutoLoginCookieName(request)) && cookie.getMaxAge() > 0) { autoUserLoginId = cookie.getValue(); break; } {code} In the above condition the cookie.getMaxAge(0) function is not working as expexted because getMaxAge() method is not a reliable one and returns -1 in most of the cases. Please refer to the following links for more information: [In Java servlet, cookie.getMaxAge() always returns -1|https://stackoverflow.com/questions/14391749/in-java-servlet-cookie-getmaxage-always-returns-1] [What do browsers do with expired cookies?|https://superuser.com/questions/356265/what-do-browsers-do-with-expired-cookies] If a cookie has expired, the browser does not send that particular cookie to the server with the page request; instead, the expired cookie is deleted. was (Author: deepak.nigam): As per the discussion above, if the user does logout intentionally, then the autoLogin cookie should not be used otherwise it should be used. But autoLogin cookie is not getting used in any of the cases. Consider the below code snippet from LoginWorker.getAutoUserLoginId() method: if (cookie.getName().equals(getAutoLoginCookieName(request)) && cookie.getMaxAge() > 0) { autoUserLoginId = cookie.getValue(); break; } In the above condition the cookie.getMaxAge(0) function is not working as expexted because getMaxAge() method is not a reliable one and returns -1 in most of the cases. Please refer to the following links for more information: [In Java servlet, cookie.getMaxAge() always returns -1|https://stackoverflow.com/questions/14391749/in-java-servlet-cookie-getmaxage-always-returns-1] [What do browsers do with expired cookies?|https://superuser.com/questions/356265/what-do-browsers-do-with-expired-cookies] If a cookie has expired, the browser does not send that particular cookie to the server with the page request; instead, the expired cookie is deleted. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06 > > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16740169#comment-16740169 ] Jacques Le Roux edited comment on OFBIZ-10666 at 1/11/19 2:37 PM: -- As per the discussion above, if the user does logout intentionally, then the autoLogin cookie should not be used otherwise it should be used. But autoLogin cookie is not getting used in any of the cases. Consider the below code snippet from LoginWorker.getAutoUserLoginId() method: {code:java} if (cookie.getName().equals(getAutoLoginCookieName(request)) && cookie.getMaxAge() > 0) { autoUserLoginId = cookie.getValue(); break; } {code} In the above condition the cookie.getMaxAge(0) function is not working as expexted because getMaxAge() method is not a reliable one and returns -1 in most of the cases. Please refer to the following links for more information: [In Java servlet, cookie.getMaxAge() always returns -1|https://stackoverflow.com/questions/14391749/in-java-servlet-cookie-getmaxage-always-returns-1] [What do browsers do with expired cookies?|https://superuser.com/questions/356265/what-do-browsers-do-with-expired-cookies] If a cookie has expired, the browser does not send that particular cookie to the server with the page request; instead, the expired cookie is deleted. was (Author: deepak.nigam): As per the discussion above, if the user does logout intentionally, then the autoLogin cookie should not be used otherwise it should be used. But autoLogin cookie is not getting used in any of the cases. Consider the below code snippet from LoginWorker.getAutoUserLoginId() method: {code:java} if (cookie.getName().equals(getAutoLoginCookieName(request)) && cookie.getMaxAge() > 0) { autoUserLoginId = cookie.getValue(); break; } {code} In the above condition the cookie.getMaxAge(0) function is not working as expexted because getMaxAge() method is not a reliable one and returns -1 in most of the cases. Please refer to the following links for more information: [In Java servlet, cookie.getMaxAge() always returns -1|https://stackoverflow.com/questions/14391749/in-java-servlet-cookie-getmaxage-always-returns-1] [What do browsers do with expired cookies?|https://superuser.com/questions/356265/what-do-browsers-do-with-expired-cookies] If a cookie has expired, the browser does not send that particular cookie to the server with the page request; instead, the expired cookie is deleted. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06 > > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711497#comment-16711497 ] Jacques Le Roux edited comment on OFBIZ-10666 at 12/6/18 4:03 PM: -- Yes and it's based on the autologin cookie and that's where things get complicated. I cleaned the situation with the OFBIZ-4959 and OFBIZ-10635. But browsers behaviours are different. That's why The Onion wrote [this parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860]. For instance FF is snarky because [it does not delete expired cookies immediately even if you close FF|https://support.mozilla.org/fr/questions/983361]. So when you quickly look at them in the browser they are still there with a date :/. So you can't refer to FF for checking cookie values. Also there are stil some inconsistencies with current behaviour. So I double checked that in detail and here are my conclusion. I did well by setting {{autoLoginCookie.setMaxAge(0);}} in {{LoginWorker::autoLoginRemove}}. But I missed that the cookie can still be there after autoLoginRemove (which calls logout, important for the sequel). So after a logout or an autoLoginRemove, OFBiz consider it's a 1st visit and call autoLoginCheck which depends on the cookie value ("autoUserLoginId"). And set the sessionAttributes.autoName again on which the information in header depends. The autoLogin feature improves the user's experience. During a year if the user comes back s/he is logged in automatically after her/his last visit. But if the user is not the right one (for instance several users use the same machine) or if s/he decided to log out then s/he should not be logged in and her/his name should not appear on header. Here is a patch that should conform the behaviour to this "specification", please check if it's OK with you before I commit. Note that you might encounter issue if you don't start from a clean state. So better to remove the JSESSIONID cookie for the ecommerce application before starting. The idea is to have only one way to logout and autoLoginRemove should be used. Also not only rely on 1st visit processor to run autoLoginCheck but also on preprocessor. The later might be controversial but I did not find a better way to fix the current behaviour. was (Author: jacques.le.roux): Yes and it's based on the autologin cookie and that's where things get complicated. I cleaned the situation with the OFBIZ-4959 and OFBIZ-10635. But browsers behaviours are different. That's why The Onion wrote [this parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860]. For instance FF is snarky because [it does not delete expired cookies immediately even if you close FF|https://support.mozilla.org/fr/questions/983361]. So when you quickly look at them in the browser they are still there with a date :/. So you can't refer to FF for checking cookie values. Also there are stil some inconsistencies with current behaviour. So I double checked that in detail and here are my conclusion. I did well by setting {{autoLoginCookie.setMaxAge(0);}} in {{LoginWorker::autoLoginRemove}}. But I missed that the cookie can still be there after autoLoginRemove (which calls logout, important for the sequel). So after a logout or an autoLoginRemove, OFBiz consider it's a 1st visit and call autoLoginRemove which depends on the cookie value ("autoUserLoginId"). And set the sessionAttributes.autoName again on which the information in header depends. The autoLogin feature improves the user's experience. During a year if the user comes back s/he is logged in automatically after her/his last visit. But if the user is not the right one (for instance several users use the same machine) or if s/he decided to log out then s/he should not be logged in and her/his name should not appear on header. Here is a patch that should conform the behaviour to this "specification", please check if it's OK with you before I commit. Note that you might encounter issue if you don't start from a clean state. So better to remove the JSESSIONID cookie for the ecommerce application before starting. The idea is to have only one way to logout and autoLoginRemove should be used. Also not only rely on 1st visit processor to run autoLoginCheck but also on preprocessor. The later might be controversial but I did not find a better way to fix the current behaviour. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >