I had just overwrite it, and place an NSLog, to see if it was being
called, but I didn't see the Log.
When I hit the back button I go back to the page I was before with a new
sessionID.
We use the direct action request handler as a default to avoid
unnessary session creation. But a session in itself is nothing bad,
so why do you worry about it at all? If you rely on a user connected
to a session, then you should check the user existance before
returning any sensible data.
In the Session is where I check the request and ask for the fields
userName and password, then I try to authenticate, if there is no such a
user I return an exception and show the warning box in the login page,
what I really don't understand its why, even I see thtat the session
created by Logging in its terminated when logging out, but when I go
back, I create a new session but I don't have to type the userName and
password again, the request has those fields already.
G.
Regards,
Susanne
Gustavo Pizano schrieb:
Susanne Hi.
Mmm nopt this method its not being called when backing the
browser. I have realize that in the NSLog I place in the
createSessionForRequest, Im showing the sessionID, and when
backing the browser, its creating a new one, ... this is weird,
I would have said it was because there was one opened session
from before the login action.
:'(:'(
G.
On Fri, Sep 25, 2009 at 2:24 PM, Susanne Schneider
<email@hidden
<mailto:email@hidden>
<mailto:email@hidden
<mailto:email@hidden>>> wrote:
Hi Gustavo,
hmm, returning to the application and not returning into the
terminated session should cause no problems. As you could not
prohibit the browser to send any stale request (from the
terminated
session) you should have implemented the
"handleSessionRestorationErrorInContext" from the application
class
to forward the browser to your main entrance page (with maybe a
session timeout notice).
Regards,
Susanne
Gustavo Pizano schrieb:
Sussane hello.
In fact I came to the office just now also and I hadn't
try to
implement the log out again.. my LogPut WOCompoent only
has a
<label> tag that says Log out Successfully, thats it, I have
nothing else, so Im not having any component with actions or
such a thing. but backing the browser will return me to the
application... Im trying to figure out first if its
because of
the problem Im having that 2 sessions are being created, one
when the app launc and the other one when the user login, and
when I log out, the session that terminates is the one
that was
created when the user login, so Im supposing the one that its
allowing me to go back on the browser is the other one,, Im
trying to get rid of it,///
I will let you know how it went.
G.
On Fri, Sep 25, 2009 at 2:04 PM, Susanne Schneider
<email@hidden
<mailto:email@hidden>
<mailto:email@hidden
<mailto:email@hidden>>
<mailto:email@hidden
<mailto:email@hidden>
<mailto:email@hidden
<mailto:email@hidden>>>> wrote:
Hi Gustavo,
sorry for the delay, hasn't been in the office yesterday.
Maybe you
solved your problem already?
So I suppose the difference between your and our
approach is that
you are working with two custom components:
1) page with the logout-link
2) page with the logout-message from the direct action
and we are using three components:
1) page with logout link to return page 2-
2) unshown page for terminating session with the posted
appendToResponse method (this is more or less a
handwritten
WORedirect)
3) page with logout-message from direct action
I think the direct action is completly ok. If you do not
include any
statefull components as already mentioned there shall
be no
session.
Otherwise there should be a fresh session created. The
possibility
to return to former session by browser-back is a
security issue
which indicates that the old session has not been
terminated. I
would suspect that the WORedirect preserves the
session from
terminating.
Regards,
Susanne
Gustavo Pizano schrieb:
Susanne. Thanks so much,
I will apply your method to my project and see what
happens...
One question.
is my DirectAction good?, I mean, as you saw Im usign
pageWithName() method, and I read that using that Im
referencing
the old session,.... I have confusion here.
Also I must override the appendToRespondMethod in
the LogOut
WOcomponent, isn't ?
Thx.
Gustavo
On Sep 24, 2009, at 5:48 PM, Susanne Schneider wrote:
Hi Gustavo,
this is what we are doing to logout:
1) the logout link returns a logout-page
without any real
surface where the appendToResponse is
overwritten to
terminate the session and to redirect to a "you
logged out
successfully" page. The method is :
public void appendToResponse(WOResponse response,
WOContext
context) {
// necessary?
super.appendToResponse(response, context);
// finish session
session().logout();
session().terminate();
// redirect
String redirectURL =
context.request().adaptorPrefix()
+ "/" + context.request().applicationName() +
".woa/wa/logout";
response.setStatus(302);
response.setHeader(redirectURL, "location");
response.setHeader("0", "content-length");
}
2) The DirectAction "logoutAction" returns a
stateless page
with the logout hint. If you want to avoid
creating a
session on this page make sure that you do not
touch
anything that needs a session. This is especially
true for
any form elements or component-action-links.
HTH,
Susanne
-- Susanne Schneider
Coordinator secuTrial Development
iAS interActive Systems GmbH
Dieffenbachstraße 33 c, D-10967 Berlin
fon +49(0)30 22 50 50 - 498
fax +49(0)30 22 50 50 - 451
mail email@hidden
web http://www.interActive-Systems.de
----------------------------------------------------
Geschäftsführer: Dr. Marko Reschke, Thomas
Fritzsche
Sitz der Gesellschaft: Berlin
Amtsgericht Berlin Charlottenburg, HRB 106103B
----------------------------------------------------
-- Susanne Schneider
Coordinator secuTrial Development
iAS interActive Systems GmbH
Dieffenbachstraße 33 c, D-10967 Berlin
fon +49(0)30 22 50 50 - 498
fax +49(0)30 22 50 50 - 451
mail email@hidden
web http://www.interActive-Systems.de
----------------------------------------------------
Geschäftsführer: Dr. Marko Reschke, Thomas Fritzsche
Sitz der Gesellschaft: Berlin
Amtsgericht Berlin Charlottenburg, HRB 106103B
----------------------------------------------------
-- Susanne Schneider
Coordinator secuTrial Development
iAS interActive Systems GmbH
Dieffenbachstraße 33 c, D-10967 Berlin
fon +49(0)30 22 50 50 - 498
fax +49(0)30 22 50 50 - 451
mail email@hidden
web http://www.interActive-Systems.de
----------------------------------------------------
Geschäftsführer: Dr. Marko Reschke, Thomas Fritzsche
Sitz der Gesellschaft: Berlin
Amtsgericht Berlin Charlottenburg, HRB 106103B
----------------------------------------------------
--
Susanne Schneider
Coordinator secuTrial Development
iAS interActive Systems GmbH
Dieffenbachstraße 33 c, D-10967 Berlin
fon +49(0)30 22 50 50 - 498
fax +49(0)30 22 50 50 - 451
mail email@hidden
web http://www.interActive-Systems.de
----------------------------------------------------
Geschäftsführer: Dr. Marko Reschke, Thomas Fritzsche
Sitz der Gesellschaft: Berlin
Amtsgericht Berlin Charlottenburg, HRB 106103B
----------------------------------------------------