"Quinton McCombs" <[EMAIL PROTECTED]> writes:
Ok, I'm convinced. +1 from me for that.
Regards
Henning
>> -----Original Message-----
>> From: Henning Schmiedehausen [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, March 20, 2003 5:02 AM
>> To: Quinton McCombs
>> Cc: Turbine Development List
>> Subject: Re: Login/Logout & session invalidating
>>
>>
>>
>> >
>> > The problem with this idea is that we will lose session pull tools
>> > since they will be removed before the login action executes.
>> >
>> > I suggest that we make Turbine.logoutUser invalidate the
>> session. We
>> > could then remove the existing code in Turbine.loginUser() that
>> > removes all of the data from the session.
>> >
>> > Anyone see a problem with this?
>>
>> I was thinking about this and now I know why. :-) Consider
>> the case where you have an application that has
>> "authenticated" and "non-authenticated" parts. E.g. a portal
>> site where you can access information put need to log in when
>> you want to post. It might be possible that a user starts a
>> (servlet) session, browses for a while, then logs in, posts
>> some articles and logs out again. Currently, the next
>> requests would stay in the same servlet session. Your
>> proposal would start a new session right at this moment. I'm
>> not sure if there are not applications that rely on the fact
>> that you can log out but stay in the same servlet session.
>I think that another side eeffect of the way the currently
>works is that when the user logs out there is still data in
>their session. The user has been replaced with an anonymous
>user by the default logout action and the acl is removed.
>However, if the user used the session itself for data storage
>that data will be left after logout.
>This won't be a problem as long as TurbineUser is used for
>the storage of data. I am more concerned about people using
>JSP who will be more accustomed to using the session for storage.
>
>Here is a unidiff output with the changes to Turbine and LoginUser.
>Index: Turbine.java
>===================================================================
>RCS file:
>/home/cvs/jakarta-turbine-2/src/java/org/apache/turbine/Turbine.java,v
>retrieving revision 1.37
>diff -u -r1.37 Turbine.java
>--- Turbine.java 14 Mar 2003 16:20:18 -0000 1.37
>+++ Turbine.java 20 Mar 2003 15:30:33 -0000
>@@ -881,12 +881,15 @@
> // only keys stored in the session are "turbine.user"
> // and "turbine.acl".
>
>- for( Enumeration enum = data.getSession().getAttributeNames();
>- enum.hasMoreElements(); )
>- {
>- String attributeName = (String) enum.nextElement();
>- data.getSession().removeAttribute(attributeName);
>- }
> ActionLoader.getInstance().exec(data, data.getAction());
> cleanupTemplateContext(data);
> data.setAction(null);
>@@ -906,6 +909,7 @@
> private void logoutAction(RunData data)
> throws Exception
> {
>+ data.getSession().invalidate();
> ActionLoader.getInstance().exec(data, data.getAction());
> cleanupTemplateContext(data);
> data.setAction(null);
>Index: LoginUser.java
>===================================================================
>RCS file:
>/home/cvs/jakarta-turbine-2/src/java/org/apache/turbine/modules/actions/
>LoginUser.java,v
>retrieving revision 1.10
>diff -u -r1.10 LoginUser.java
>--- LoginUser.java 12 Mar 2003 18:36:21 -0000 1.10
>+++ LoginUser.java 20 Mar 2003 15:30:18 -0000
>@@ -109,15 +109,6 @@
> public void doPerform(RunData data)
> throws TurbineSecurityException
> {
>- // This prevents a db hit on second Action call during page
>- // generation. Turbine removes everything from the Session
>- // before calling this method, so in this case we should
>- // continue on with the Login procedure.
>- if (data.getUserFromSession() != null)
>- {
>- return;
>- }
>-
> String username = data.getParameters().getString(CGI_USERNAME,
>"");
> String password = data.getParameters().getString(CGI_PASSWORD,
>"");
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
--
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH
[EMAIL PROTECTED] +49 9131 50 654 0 http://www.intermeta.de/
Java, perl, Solaris, Linux, xSP Consulting, Web Services
freelance consultant -- Jakarta Turbine Development -- hero for hire
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
