Unchecking "Remember me" checkbox has no effect when logged out. Pressing the browsers back button you're still logged in an d can use all functions.

Steps to reproduce

Steps to reproduce:
1. Go to login page, uncheck "Remember me" checkbox
2. Login
3. Logout
4. Press the browser's back button

Actual Results:

Expected Results:

Workaround (if any):

Activity

Show:
Nadine Kämper
May 5, 2015, 7:52 AM

I used our own instance at University of Cologne. And yes you're right. After Reloading I'm redirected to the login page.

p
May 5, 2015, 8:02 AM

Thanks Nadine. Out of curiosity, if you logout from the Events list and go back, do you still see the events in the list or is the table empty? The reason I am asking is that if a logged out user can still do actions (for example delete an event) then it might make this issue a lot more critical. If no action can be made, then at least we know the data is safe. On my installation, I see an empty events table.

Nadine Kämper
May 5, 2015, 8:47 AM

I see the events. But when i try to make an action I'm redirected to the login page.

Tobias Wunden
May 5, 2015, 9:54 AM

Hi Nadine, we spent a fair amount of time trying to get callbacks into the Admin UI upon expiration of your session but have not been successful. The reason for that was that Spring Security doesn't indicate authentication failures per se, it will simply send a redirect to the login page.

As a result, when your session times out, REST calls to certain resources (like the events list) will be responded to with the redirect, leading to strange behavior. Unfortunately, we haven't been able to come up with a way of identifying that and initiating a redirect of the main application page. I will let comment on this some more.

In the scenario you are describing, it seems likely that the main page is coming out of your local browser cache, hence Spring Security will again redirect REST calls instead of the application as a whole. To summarize, I don't think this will be easy to fix, but maybe someone else is able to come up with a way to reliably detect session timeouts.

Xavier Butty
May 5, 2015, 1:05 PM

Hi Nadine,

Tobias described correctly the problem. When your session is expired, the asynchronous REST calls that the admin UI is doing are getting redirect as answer. We are not able to deal with it as the status code that we get is the one resulting from the redirect (so 200 instead of 302). The solution would be to create an AuthenticationFailureHandler that would return the status code 401 instead of redirect in case of session timeouts.

Xavier

Assignee

Xavier Butty

Reporter

Nadine Kämper

Severity

Non Functioning

Tags (folksonomy)

Components

Fix versions

Affects versions

Priority

Major
Configure