[jira] [Commented] (OFBIZ-12047) Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-12047) Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-12047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17283636#comment-17283636 ]

Olivier Heintz commented on OFBIZ-12047:
----------------------------------------

After a strange behavior in vueJs components I have checked a little more.

In my point of view (but clearly I have not an understanding of RequestHandler and login java process) there are already a lot of hardcoded request name ("checkLogin" ,"ajaxCheckLogin", ...) and it's possible to test with equals("login") not contain, it seems more secure.

If we want to manage all case, it will be necessary to add not equals("SetTimeZoneFromBrowser") too but it's necessary in a very specifics case, so I prefer to forget this case.

so in the new patch, the only modification is change from path.contain("login") to requestUri.equal("login")

[^RequestHandler.java.patch]

> Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages
> -----------------------------------------------------------------------
>
>                 Key: OFBIZ-12047
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12047
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/webapp
>    Affects Versions: Release Branch 18.12, Trunk
>            Reporter: Ingo Könemann
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: 18.12.01, Upcoming Branch
>
>         Attachments: RequestHandler.java.patch, RequestHandler.java.patch
>
>
> There is a session attribute called "_PREVIOUS_REQUEST_" used to remember and execute the previous request after a login occurs. This attribute is not removed properly when navigating away from a page without logging in.
> When navigating to a page that requires authentication the "_PREVIOUS_REQUEST_" attribute is saved in the session from within the LoginWorker to be called again when the login was successful through the RequestHandler. Currently, the attribute is only removed when a login occurs resulting in the previous request being stored in the session until some form of login is successfully executed.
> This behavior potentially results in navigation problems since a user is able to navigate to a page requiring authentication without logging in. An old request will be pulled from the session when a similar event occurs and the user logs in.
>  
> I propose to have the RequestHandler remove the session attribute "_PREVIOUS_REQUEST_" after calling a request that does not require authentication. We also have to restructure the sequence of request handling to have the "targetRequestUri" handled after the security check and a possible removal of the session attribute.
>  
> One problem arises with this solution, however, which should be less of an issue than the current state:
> If the login page includes a request call that is handled after the request showing the login page (for example an ajax call rendering a screen), the "_PREVIOUS_REQUEST_" attribute will be lost before the login is processed. To my knowledge such a case does not exist within the OFBiz environment and seems to be an edge case far less problematic than the above mentioned problem.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)