File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JForum and the fly likes Session management Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JForum
Bookmark "Session management" Watch "Session management" New topic
Author

Session management

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi there,

I noticed some weird behaviour in my SSO environment. Could it be that if the user logs out, he will be registered as "Guest" user and show up as guest to the admin panel?! is there a special reason for why the session is not being invalidated?

Or could there be some flaws or misbehaviour if I invalidate the session after logout?

In addition to that, some colleagues mentioned they are still listed as 'active' on the board, even though they logged out ages ago.

Funny it is aswell to have 8 guest members online according to who's online, but in the admin panel it currently only shows 4 guest users.

*scratches head* To me it shows that the session management is more than... buggy... to say the least.

Any hints on how to solve this self-made... or when an official fix may be avaiable?
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
There is no special reason to not call invalidate() - the approach JForum uses it to just change the user information, from a valid, logged one, to anonymous.

I already noticied the difference between the admin panel and online user listing on the main page.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I assume that it'd be ok if I do not add a user as anonymous when he logs out then?

that may at least kill the guest user sessions we have, that are kind of irritating, especially as no guest should be able to enter the system
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I think you can differ in the code if the forum is run within an SSO environment. If so invalidate. Otherwise makeanonymous. That's at least how I'll try to modify it ...
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
You can create a Jira issue for this, adding as Improvement.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Since you say that no guest should be in the system, a quick solution would be to move the anonymous user into a group with no forum access rights. It's not perfect, but at least the guests can't see or do anything in the system.

In addition, you can combine this with a bit of template code to redirect anonymous users to a login or other page in the header template.

The combination should protect your system from "guests".
[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I already configured the guest without permissions at all - even before i started with SSO ;-)

There is no redirect necessary either. The forum is within a support environment. When the user clicks on "logout" the /user/logout is being called.

Yet it's confusing to the logged on users / admins / moderators to see a growing list of guests on the forum. Especially our customers do not know about the security constraints for guest users and may wonder if their information is really save.

When I work on the forum again I'll invalidate the session after logout in case of SSO usage.

Thanks for your input
[originally posted on jforum.net by Sid]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Session management
 
Similar Threads
Guest Users
Admin role is gone?
Admin Control Panel & SSO
Online user count
Saloon Home Page :Who is online ?