Are you sure the browser isn’t just caching the page? Put in some logging to ensure the interceptor is being fired.
Brad,
My guess is that he is not checking to see if the session has expired and redirecting the user back to the login page ( instead re-logging the user straight back in), because if he had then he would not be having this issue. But it makes me also question that is the session also really expiring if this condition is being checked for, because if the pages require certain session information the page should be throwing an error, regardless of being cached or not.
Regards,
Andrew Scott
I have found the reason for this false behaviour using FusionDebug:
- The Default Security Interceptor is entered correctly
- BUT: The method '_isUserInValidState' returns true; which is NOT
correct after a session has expired
- It uses either an user-defined validator - the creation of which I
wanted to avoid; or it loops over CF Roles (please see my other
thread); and for at least one role the CF function 'isUserInRole'
still returns true ...
- The question now is: Why does 'isUserInRole' return true after a
session has expired ? And cflogout has been called in onSessionEnd ?
Could anybody please shed some light on what exactly one has to do ?
Sounds like you are using the sample code, and like I said you have to role
this to suit yourself.
Regards,
Andrew Scott
http://www.andyscott.id.au/
From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of verlsnake
Sent: Tuesday, 21 June 2011 4:53 AM
To: ColdBox Platform
Subject: [coldbox:10493] Re: Default Security Interceptor: How does it
handle
an expired session ?
I have found the reason for this false behaviour using FusionDebug:
- The Default Security Interceptor is entered correctly
- BUT: The method '_isUserInValidState' returns true; which is NOT correct
after a session has expired
- It uses either an user-defined validator - the creation of which I
wanted to
avoid; or it loops over CF Roles (please see my other thread); and for at
least
one role the CF function 'isUserInRole'
still returns true ...
- The question now is: Why does 'isUserInRole' return true after a session
has
- cflogout docs (Adobe) say: "The user is automatically logged out
when the session ends."
- The Railo version of cflogout does not seem to adhere to the
behaviour described above (I will create a thread in the Railo Google
Group for that)
- Calling cflogout in
- onSessionEnd: Does indeed not behave as expected
- onRequestStart: seems to behave correctly; but is still not the
right place in my scenario: At least one request slips through ...
My current solution is:
- In the method '_isUserInValidState' of the default security
interceptor:
- Loop Over CF Roles only when there is a loggedin user
- Realized like so:
<cfif getPlugin("SessionStorage").exists("loggedin") >
<!--- Loop Over CF Roles --->
...
</cfif>
- Whereas "loggedin" is a session storage variable set by the login
mechanism I am using; now I understand why it can make sense to use
cflogin AND additional session storage variables; and what open source
can be good for ...
- Call cflogout directly before cflogin
This solution makes my current approach using the default security
interceptor seemingly a happy camper 
!
I HAVE already testdriven Dan Vega's ColdBox Solitary Security Module;
BUT: It uses ORM; and did not work out of the box in my scenario;
because it seems to use SES URLs out of the box; it is of course a
good option to consider ! And I am still waiting for Dan's next
revision.
What about onRequestEnd, maybe that might work for you.
Regards,
Andrew Scott
http://www.andyscott.id.au/
From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of verlsnake
Sent: Tuesday, 21 June 2011 6:41 PM
To: ColdBox Platform
Subject: [coldbox:10501] Re: Default Security Interceptor: How does it
handle
an expired session ?
- cflogout docs (Adobe) say: "The user is automatically logged out when
the
session ends."
- The Railo version of cflogout does not seem to adhere to the behaviour
described above (I will create a thread in the Railo Google Group for
that)
- Calling cflogout in
- onSessionEnd: Does indeed not behave as expected
- onRequestStart: seems to behave correctly; but is still not the right
place in
my scenario: At least one request slips through ...
My current solution is:
- In the method '_isUserInValidState' of the default security
interceptor:
- Loop Over CF Roles only when there is a loggedin user
- Realized like so:
<cfif getPlugin("SessionStorage").exists("loggedin") >
<!--- Loop Over CF Roles --->
...
</cfif>
- Whereas "loggedin" is a session storage variable set by the login
mechanism I am using; now I understand why it can make sense to use
cflogin AND additional session storage variables; and what open source can
be good for ...- Call cflogout directly before cflogin
This solution makes my current approach using the default security
interceptor seemingly a happy camperI HAVE already testdriven Dan Vega's ColdBox Solitary Security Module;
BUT: It uses ORM; and did not work out of the box in my scenario; because
it
Hello Andrew !
Thanks for the continued input ! But I will not fiddle around with
onRequestEnd before the next severe failure occurs to me ...
Cheers and Tschüss
Kai