掲示板

  1. ホーム
  2. Development
  3. session timeout - don't clear cookies

session timeout - don't clear cookies

thumbnail
7年前 に Yury Dan によって更新されました。

session timeout - don't clear cookies

New Member 投稿: 7 参加年月日: 16/05/30 最新の投稿
Hi all,
I am trying to clear cookis after session timeout. User is logout, but when i refresh page i get old user ID cookie instead of null.
my portal-ext.properties look something like this:

session.timeout.auto.extend=false
session.timeout.redirect.on.expire=true
session.timeout.redirectUrl=/c/portal/logout
session.enable.phishing.protection=true
browser.cache.signed.in.disabled=true
session.timeout=2
session.timeout.warning=1

Is anything i am going wrong?
I used it in verify user logon:

Cookie[] cookies = req.getCookies();
		String userId = null, password = null, companyId = null, uuid = null;
		for (Cookie c : cookies) {
			companyId = c.getName().equals("COMPANY_ID") ? c.getValue() : companyId;
			userId = c.getName().equals("ID") ? CommonUtil.hexStringToStringByAscii(c.getValue()) : userId;
		}
		if (userId == null || companyId == null) return errorLogin;
		try {
			Company company = CompanyLocalServiceUtil.getCompany(Long.valueOf(companyId));
			Key key = company.getKeyObj();
			String userDecrypt = Encryptor.decrypt(key, userId);
			return userDecrypt.length() &gt; 1 ? new ResponseEntity<string>(userDecrypt, HttpStatus.OK) : errorLogin;
		} catch (NumberFormatException | PortalException | SystemException | EncryptorException e) {
			log.error(e);
		}
		return new ResponseEntity<string>("User check Error! No cookies...", HttpStatus.SERVICE_UNAVAILABLE);
</string></string>

Thenks.
thumbnail
7年前 に David H Nebinger によって更新されました。

RE: session timeout - don't clear cookies

Liferay Legend 投稿: 14919 参加年月日: 06/09/02 最新の投稿
Cookies come from the browser, session comes from the server. They are not connected in any way and you'll find it impossible to consistently whack the cookies when the session expires.

The user may have closed the browser, navigated to another site or be offline cuz they drove into a tunnel. Session expires on server but cannot message the browser to dump cookies.

The best that you can hope for is to use cookies that expire when the browser is closed, but you will not have any true control over the cookies from the server side (user might be blocking JS that would prevent your code from clearing cookies, they could manually define a cookie to hack their way back in, ...).
thumbnail
7年前 に Yury Dan によって更新されました。

RE: session timeout - don't clear cookies

New Member 投稿: 7 参加年月日: 16/05/30 最新の投稿
Hi David ,Thanks !
Wel,It seems I should find another way to check user in my server-application. But when i pressed the button "logout" cookies are cleared. This happens on the client side? This manual redirect "/c/portal/logout" also cleared cookies. Maybe can I redirect to another url?
I was hoping that it would help for me: 
 session.timeout.redirectUrl=/c/portal/logout


I have a server application deployed on tomcat-liferay that gets the data from database and gives to the client and some other things. Probably there is another way of check authentication? when the user is logout I should not send data in response.
Thanks in advance.
P.S. Sorry for my English if something is wrong emoticon
thumbnail
7年前 に David H Nebinger によって更新されました。

RE: session timeout - don't clear cookies

Liferay Legend 投稿: 14919 参加年月日: 06/09/02 最新の投稿
Clicking the logout will clear the cookies, but that will only work if your users can click logout every time.

Session timeout, I don't think that has any impact on cookies but since you can set the redirect page to use after session timeout, at the very least you could throw some JS on the page to clear it.

The edge cases are the ones that typically nail you, though. Unless you're protecting yourself on those edge cases you might be exposing yourself to some vulnerability.

For example, CAS uses cookies in the browser while you are authenticated, when the cookies are submitted Liferay will call out to CAS to make sure they are valid. The CAS cookies also expire at a specified time, but that is outside of the browser configuration; if the browser is offline (in the tunnel) and then comes back, the cookie might be invalid but only CAS knows for sure. So this kind of mechanism will occur in the browser by default, but it also applies to those edge cases.
thumbnail
7年前 に Yury Dan によって更新されました。

RE: session timeout - don't clear cookies

New Member 投稿: 7 参加年月日: 16/05/30 最新の投稿
Thank you for your detailed explanation.
Now I am trying to use HttpSession and parametr USER_ID. When user is login it is not null. 
httpSession.getAttribute("USER_ID")