Bug 694641

Summary: Able to perform url navigation after logout
Product: [Other] RHQ Project Reporter: Jay Shaughnessy <jshaughn>
Component: Core UIAssignee: Jay Shaughnessy <jshaughn>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0.0.Beta2CC: hrupp, skondkar
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-24 01:07:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jay Shaughnessy 2011-04-07 20:18:14 UTC 
This seems like a regression as I'm sure this was working a while back.

1) Log in

2) Navigate to say, a resource

3) Log out

  The login box shows up, the background greys (although the resource detail
  screen is still displayed)

4) Hit the browser back button

Watch the resource screen re-render behind the login box.  For fun you can actually type in any rhq url, try #Inventory, etc...


When a user logs out the session should die. Also, the screen should be blanked out behind the login box.

If the user's session expires (60 minutes) the login box should appear yet on login as the same user, the user should be able to resume where he left off (the url has not actually changed).
Comment 1 Jay Shaughnessy 2011-04-07 21:30:44 UTC 
Actually, I think the session is dying as anticipated. That is good.  The behavior is still bad, though.
Comment 2 Jay Shaughnessy 2011-04-08 19:45:33 UTC 
Fix commit 9a590b9d71a34f884c9843880278762277028eac
Author: Jay Shaughnessy <jshaughn>
Date:   Fri Apr 8 15:19:01 2011 -0400

    A user-initiated logout had various issues:
    - the logged out user's last view remained on screen (potential security issue)
    - the back button could be utilized to navigate to the user's past pages (potential security issue)
    - subsequent login could navigate to the wrong view
    - in certain situations the previous session could be refreshed (just plain bad)

    Now on a user-initiated logout the entire background is greyed out to hide
    previous state.  The back button will maintain the LogOut view. Subsequent
    logins will start at the default view.

    Note that session-expirations also pop up the login box but do still
    show the background view, on the assumption that the user may want to
    log in again and pick up where he left off.
Comment 3 Sunil Kondkar 2011-04-26 12:10:35 UTC 
Verified on build#1175 (Version: 4.0.0-SNAPSHOT Build Number: a90faf9)

Logged in and navigated to a resource. After logout, the background is greyed out and it does not display the resource details screen, it shows only the login box.

Tried hitting browser back button which maintains the view displaying only the login box.

Subsequent logins display the Dashboard screen.

Also waited till the session expires. The login box is shown with the background view and after login, it displays the screen where the user left off.

Marking as verified.
Comment 4 Corey Welton 2011-05-24 01:07:53 UTC 
Bookkeeping - closing bug - fixed in recent release.