[
https://issues.apache.org/jira/browse/OFBIZ-12047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17283666#comment-17283666 ]
Michael Brohl commented on OFBIZ-12047:
---------------------------------------
The best way to handle all (current OOTB and custom projects cases) is to provide a configuration option to exclude requests from the special handling. It does not require additional hardcoding in the RequestHandler and brings the most flexibility.
We should have in mind that OFBiz is a framework and has a plugin mechanism, so custom implementations could also have the need to configure addtional requests to be excluded.
Hence the suggestion to make the list of excluded requests configurable (through properties and SystemProperty.get...).
> Remove _PREVIOUS_REQUEST_ Session Attribute on non-authentication pages
> -----------------------------------------------------------------------
>
> Key: OFBIZ-12047
> URL:
https://issues.apache.org/jira/browse/OFBIZ-12047> Project: OFBiz
> Issue Type: Bug
> Components: framework/webapp
> Affects Versions: Release Branch 18.12, Trunk
> Reporter: Ingo Könemann
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 18.12.01, Upcoming Branch
>
> Attachments: RequestHandler.java.patch, RequestHandler.java.patch
>
>
> There is a session attribute called "_PREVIOUS_REQUEST_" used to remember and execute the previous request after a login occurs. This attribute is not removed properly when navigating away from a page without logging in.
> When navigating to a page that requires authentication the "_PREVIOUS_REQUEST_" attribute is saved in the session from within the LoginWorker to be called again when the login was successful through the RequestHandler. Currently, the attribute is only removed when a login occurs resulting in the previous request being stored in the session until some form of login is successfully executed.
> This behavior potentially results in navigation problems since a user is able to navigate to a page requiring authentication without logging in. An old request will be pulled from the session when a similar event occurs and the user logs in.
>
> I propose to have the RequestHandler remove the session attribute "_PREVIOUS_REQUEST_" after calling a request that does not require authentication. We also have to restructure the sequence of request handling to have the "targetRequestUri" handled after the security check and a possible removal of the session attribute.
>
> One problem arises with this solution, however, which should be less of an issue than the current state:
> If the login page includes a request call that is handled after the request showing the login page (for example an ajax call rendering a screen), the "_PREVIOUS_REQUEST_" attribute will be lost before the login is processed. To my knowledge such a case does not exist within the OFBiz environment and seems to be an edge case far less problematic than the above mentioned problem.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)