Details
-
Improvement
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
-
Platform 211 Eng OKRs
Description
In CMS-11985 we have made sure that after cms logout, the http session of site webapps always are invalidated as well if the site was accessed via the channel mgr.
The HST CmsSSOAuthenticationHandler still contains however code that takes care of the old use case where one would logout from the cms webapp, but keep its site webapp http session. This is not possible any more since CMS-11985, so the code below can just be replaced by just HttpSession httpSession = containerRequest.getSession();
HttpSession httpSession = containerRequest.getSession(false); // if the (HST) http session already exists, it might be because the user logged out from cms and logged in with // different user or logged in with same user again but the authorization rules for example changed (that is // why the user for example logged out and in). However, now it can happen that we have stale jcr sessions // still on the HttpSessionBoundJcrSessionHolder attribute of the HST http session. We need to clear these // now actively if (httpSession != null) { HttpSessionBoundJcrSessionHolder.clearAllBoundJcrSessions(HTTP_SESSION_ATTRIBUTE_NAME_PREFIX_CMS_PREVIEW_SESSION, httpSession); } else { httpSession = containerRequest.getSession(true); }
Attachments
Issue Links
- relates to
-
-
- Closed
-