Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-16162

session timeout causes continuous redirect loop

    Details

    • Type: Bug
    • Status: CLOSED
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.6.0
    • Component/s: Portal
    • Labels:
      None

      Description

      See SAK-13987 for implementation of a feature that warns people when they are getting near to the inactivity timeout. It may be that this features is effectively disabled, for reasons noted in comments for SAK-13987. However if you manage to get it working, e.g. by doing the patch to change

      url: "/direct/session/" + sessionId + ".json?auto=true"
      to be
      url: "/direct/session/" + sessionId + ".json?auto=true&_=" + (new Date()).getTime();

      you'll run into another problem: unless JSESSIONID is the first cookie, you'll get an invalid session ID. The problem is that this results in a continuous redirect loop, thus effectively disabling Sakai for that user. This was noted in another comment in SAK-13987. However the comment didn't make it clear quite how serious the impact of the problem is.

      A solution that works for us is to change

      var sessionId = document.cookie.replace(/^[^=]=/, '').replace(/\..$/, '');
      to
      var sessionId = document.cookie.replace(/^.JSESSIONID=/, '').replace(/\..$/, '');

      However this assumes that the session ID is carried in a cookie called JSESSIONID. There was some concern in a comment that this might not work in other app servers. A reasonable approach would be to add a configuration setting like sessionid.cookiename, which defaults to JESSIONID.

      I'm unclear how serious a problem this is, since it appears that without the fix to the URL, this feature is probably effectively disabled. However if that isn't the case, we need to warn sites that enabling this feature has a high probability of creating disaster for at least some of their users.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jonespm Matthew Jones
                  Reporter:
                  hedrick Charles Hedrick
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Source Code