> -----Original Message-----
> From: Henning Schmiedehausen [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 20, 2003 5:02 AM
> To: Quinton McCombs
> Cc: Turbine Development List
> Subject: Re: Login/Logout & session invalidating
>
>
>
> >
> > The problem with this idea is that we will lose session pull tools
> > since they will be removed before the login action executes.
> >
> > I suggest that we make Turbine.logoutUser invalidate the
> session. We
> > could then remove the existing code in Turbine.loginUser() that
> > removes all of the data from the session.
> >
> > Anyone see a problem with this?
>
> I was thinking about this and now I know why. :-) Consider
> the case where you have an application that has
> "authenticated" and "non-authenticated" parts. E.g. a portal
> site where you can access information put need to log in when
> you want to post. It might be possible that a user starts a
> (servlet) session, browses for a while, then logs in, posts
> some articles and logs out again. Currently, the next
> requests would stay in the same servlet session. Your
> proposal would start a new session right at this moment. I'm
> not sure if there are not applications that rely on the fact
> that you can log out but stay in the same servlet session.
I think that another side eeffect of the way the currently
works is that when the user logs out there is still data in
their session. The user has been replaced with an anonymous
user by the default logout action and the acl is removed.
However, if the user used the session itself for data storage
that data will be left after logout.
This won't be a problem as long as TurbineUser is used for
the storage of data. I am more concerned about people using
JSP who will be more accustomed to using the session for storage.
Here is a unidiff output with the changes to Turbine and LoginUser.
Index: Turbine.java
===================================================================
RCS file:
/home/cvs/jakarta-turbine-2/src/java/org/apache/turbine/Turbine.java,v
retrieving revision 1.37
diff -u -r1.37 Turbine.java
--- Turbine.java 14 Mar 2003 16:20:18 -0000 1.37
+++ Turbine.java 20 Mar 2003 15:30:33 -0000
@@ -881,12 +881,15 @@
// only keys stored in the session are "turbine.user"
// and "turbine.acl".
- for( Enumeration enum = data.getSession().getAttributeNames();
- enum.hasMoreElements(); )
- {
- String attributeName = (String) enum.nextElement();
- data.getSession().removeAttribute(attributeName);
- }
ActionLoader.getInstance().exec(data, data.getAction());
cleanupTemplateContext(data);
data.setAction(null);
@@ -906,6 +909,7 @@
private void logoutAction(RunData data)
throws Exception
{
+ data.getSession().invalidate();
ActionLoader.getInstance().exec(data, data.getAction());
cleanupTemplateContext(data);
data.setAction(null);
Index: LoginUser.java
===================================================================
RCS file:
/home/cvs/jakarta-turbine-2/src/java/org/apache/turbine/modules/actions/
LoginUser.java,v
retrieving revision 1.10
diff -u -r1.10 LoginUser.java
--- LoginUser.java 12 Mar 2003 18:36:21 -0000 1.10
+++ LoginUser.java 20 Mar 2003 15:30:18 -0000
@@ -109,15 +109,6 @@
public void doPerform(RunData data)
throws TurbineSecurityException
{
- // This prevents a db hit on second Action call during page
- // generation. Turbine removes everything from the Session
- // before calling this method, so in this case we should
- // continue on with the Login procedure.
- if (data.getUserFromSession() != null)
- {
- return;
- }
-
String username = data.getParameters().getString(CGI_USERNAME,
"");
String password = data.getParameters().getString(CGI_PASSWORD,
"");
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
