• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

Session management

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,

I noticed some weird behaviour in my SSO environment. Could it be that if the user logs out, he will be registered as "Guest" user and show up as guest to the admin panel?! is there a special reason for why the session is not being invalidated?

Or could there be some flaws or misbehaviour if I invalidate the session after logout?

In addition to that, some colleagues mentioned they are still listed as 'active' on the board, even though they logged out ages ago.

Funny it is aswell to have 8 guest members online according to who's online, but in the admin panel it currently only shows 4 guest users.

*scratches head* To me it shows that the session management is more than... buggy... to say the least.

Any hints on how to solve this self-made... or when an official fix may be avaiable?
[originally posted on jforum.net by Sid]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There is no special reason to not call invalidate() - the approach JForum uses it to just change the user information, from a valid, logged one, to anonymous.

I already noticied the difference between the admin panel and online user listing on the main page.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I assume that it'd be ok if I do not add a user as anonymous when he logs out then?

that may at least kill the guest user sessions we have, that are kind of irritating, especially as no guest should be able to enter the system
[originally posted on jforum.net by Sid]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think you can differ in the code if the forum is run within an SSO environment. If so invalidate. Otherwise makeanonymous. That's at least how I'll try to modify it ...
[originally posted on jforum.net by Sid]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can create a Jira issue for this, adding as Improvement.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Since you say that no guest should be in the system, a quick solution would be to move the anonymous user into a group with no forum access rights. It's not perfect, but at least the guests can't see or do anything in the system.

In addition, you can combine this with a bit of template code to redirect anonymous users to a login or other page in the header template.

The combination should protect your system from "guests".
[originally posted on jforum.net by monroe]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I already configured the guest without permissions at all - even before i started with SSO ;-)

There is no redirect necessary either. The forum is within a support environment. When the user clicks on "logout" the /user/logout is being called.

Yet it's confusing to the logged on users / admins / moderators to see a growing list of guests on the forum. Especially our customers do not know about the security constraints for guest users and may wonder if their information is really save.

When I work on the forum again I'll invalidate the session after logout in case of SSO usage.

Thanks for your input
[originally posted on jforum.net by Sid]
 
Aaaaaand ... we're on the march. Stylin. Get with it tiny ad.
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic