Login scenarios discussion and logic behind it

Hi all, I’m currently working on this ticket to change LoginController logic. One of the scenarios described by @darius is:

If I am not logged into the system, and I click on a link to a page within the system (e.g. a bookmark or a link in an email), when I log in I should be taken to the page I was trying to visit.

The problem with this is that the link clicked is not saved anywhere. I’ve been looking at the UiFramework code responsible for this but it throws Auth exception. Does anyone of you know where is the logic that should save this link as the referer in e.g session attribute ?

Another scenarios that I have question to are:

  1. If I am viewing an page in the system, and my session times out, and then I click on a link and am shown the login page, and then a different user logs in, they be taken to the home screen.
  1. If I am viewing an page in the system, and my session times out, and then I click on a link and am shown the login page, if I log back in as the same user I should see the page I was last on.

I’m saving the username as a cookie value. What do you think about that ? Any better solutions to make it work ?

1 Like

Surely at this point in the code the HttpServletRequest would give you the originally-requested URL, right? https://github.com/openmrs/openmrs-module-uiframework/blob/3.7/omod/src/main/java/org/openmrs/module/uiframework/PageController.java#L143

If not, I would also look at the openmrs-core code that throws the ContextAuthenticationException in the first place. That should have access to the originally requested URL.

Another approach would be to figure out how to be notified of session expiration (from the servlet container, I guess), and store a map from user to last session expiration time. Then, upon login, if your session expired in the last X hours, go back to the last page. (I guess you’d also have to listen to the log out event, and clear the map.)

I think that saving the username as a cookie is probably fine, though as you suggested on the ticket, it could be a security concern (allowing someone with physical access to the machine to determine a valid username). To mitigate this, store a one-way hash instead of the username itself.

1 Like

For session timeout notification, you can put in the session an object that implements this interface: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpSessionBindingListener.html

1 Like

Right! I could easily get the referer and save as a session attribute.

Last problem I’m facing right now is the referer url set in the header when user manually logs out. I can’t find the place where it it saved as a header. I thought it is done in appui, but I was wrong. Any suggestions ?

@adamg do you actually need it if someone manually logs out? :smile:

I don’t but it is saved and in the login controller I don’t know if that was saved during manual logout or when session expired and we want to redirect user back.

@adamg when a user manually logs out, the value contained in the referer header is always the home page. Since in cases of manual logout you always want to redirect users to the home page, this makes it exactly what you want. If a session just expired, you still want to redirect the user to the referer value. Not so? :slight_smile:

@dkayiwa try doing manual logout here and log in again. It takes you back to the page where you logout not to the home page.

@adamg the referer header is automatically set by the browser, not our code. As part of the commits for RA-986, i set a session attribute to tell when a manual logout happens. That way, i ignore the referer url whenever i find this session attribute set. Is this of any help?

@adamg, Daniel’s suggestion should work, but given the changes you’ve already made (about cookies) I think my comment from the ticket would also solve this:

how about if as part of the manual logout you clear the username cookie? That way the next time someone logs in it doesn’t try to recover a previous working session

Thanks guys for your help :slight_smile: I have added comment in the issue ticket with links to the PRs