Uploaded image for project: 'ngrinder'
  1. ngrinder
  2. NGRINDER-338

Not able to login when restart server while logined

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Not a Bug
    • Affects Version/s: 3.0.1
    • Fix Version/s: 3.0.2
    • Component/s: controller
    • Labels:
      None

      Description

      When server is restarted while being logged in. Sometimes it's fail to login again. It's because some session and related cookie are remained in the spring security context.

      I found following line in applicationContext-security.xml
      <session-management invalid-session-url="/login" session-fixation-protection="migrateSession" />

      migrateSession is

      • Indicates whether an existing session should be invalidated when a user authenticates and a new session
        started. If set to "none" no change will be made. "newSession" will create a new empty session.
        "migrateSession" will create a new session and copy the session attributes to the new session. Defaults to
        "migrateSession".

      We may need newSession instead here.

        Activity

        Hide
        junoyoon JunHo Yoon added a comment -

        Mavlarn.. Please follow-up this issue.

        Show
        junoyoon JunHo Yoon added a comment - Mavlarn.. Please follow-up this issue.
        Hide
        mavlarn Mavlarn Tuohuti added a comment -

        It is related with tomcat configuration. In default, Tomcat will save sessions and use them after restart. But in our system, the session is not valid.
        In tomcat's config:
        <Context>

        <!-- Default set of monitored resources -->
        <WatchedResource>WEB-INF/web.xml</WatchedResource>

        <!-- Uncomment this to disable session persistence across Tomcat restarts -->
        <!--
        <Manager pathname="" />
        -->

        </Context>

        And the configuration of "session-fixation-protection" is used to protect from session stealing attack, I think it is not related with that problem.

        Show
        mavlarn Mavlarn Tuohuti added a comment - It is related with tomcat configuration. In default, Tomcat will save sessions and use them after restart. But in our system, the session is not valid. In tomcat's config: <Context> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> <!-- Uncomment this to disable session persistence across Tomcat restarts --> <!-- <Manager pathname="" /> --> </Context> And the configuration of "session-fixation-protection" is used to protect from session stealing attack, I think it is not related with that problem.
        Hide
        mavlarn Mavlarn Tuohuti added a comment -

        User should modify the tomcat configuration.

        Show
        mavlarn Mavlarn Tuohuti added a comment - User should modify the tomcat configuration.
        Hide
        junoyoon JunHo Yoon added a comment -

        Already done

        Show
        junoyoon JunHo Yoon added a comment - Already done

          People

          • Assignee:
            mavlarn Mavlarn Tuohuti
            Reporter:
            junoyoon JunHo Yoon
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: