cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gautam Ganguly" <>
Subject Cocoon-2.1.7:Session objects not getting destroyed after using auth-logout action
Date Mon, 10 Oct 2005 18:05:23 GMT
hi all,
  I have recently moved the existing web-app on Cocoon-2.0.5 to cocoon-2.1.7.and i am facing
session objects getting mixed up  between multiple users.The main issue i am running into
is giving users access to apps which he is not permissible for his group.

I am configured as follows:
Cocoon ver- 2.1.7
O.S- Windows 2003
Tomcat - tomcat-5.x

In brief:
My website structure is this:

Main Sitemap( login/ logout takes place from here)
   |--> Sub-sitemap-ADM( ADMIN can seee this along with stuff for MANAGERand USER)
   |--> Sub-sitemap-MGR( MANAGER can see these as well as stuff for USERS)
   |--> Sub-sitemap-Usr ( simple USERs can see these)

When a user logs in, i use the authentication security handler to verify the user.Once done
i save the user's security access level into the 'AUTHENTICATION' context.I use the  [auth-protect]
action to get hold of all the authentication conetxt data in the session.

Step-1) If the user belongs to the 'MGR' group, he gets directed to the sub-sitemap which
deals with only mnagerial task.He gets his work done,returns back to the main menu where he
logs out and ends his session.

step-2) Another user logs in and he belongs to group -'USR', he gets directed to sub-sitemap
[Sub-sitemap-Usr].he goes in there,does his stuff and decides to go back to the main sitemap
, when this happens some how he is getting hold of the previous users authentication context
which in my case  makes him see all content belonging to manager group(in the current case
or of some one who happened to be the previous user being tracked by the site)

While trying to figure out whats happening, i found out that session objects are not getting
destroyed when i use the [auth-logout] action. Consequence the 'USR' returns from the sub-stemap
to the main sitemap and manages to see the 'MGR' guys content,which is a bummer!

Side note:
1)i do use the security-handlerfrom the main sitemap ,  in the sub-stemap to check if the
user is logged-in or not.
2)based on the pipeline match, i use map:mount to load the sub-sitemaps.
2)this issue happens irrespective of if the session was opened using different browser windows.

Has any one come across these issue? Can you all help me figure these out ,please?



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message