Bug 867507

Summary: required to enter credentials twice
Product: [Community] PressGang CCMS Reporter: Eric Johnson <ejohnson>
Component: Login-serviceAssignee: pressgang-ccms-dev
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0CC: lnewson, pkennedy
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Mac OS   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-01 23:53:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Johnson 2012-10-17 15:52:15 UTC 
Description of problem:
When I login through the Web UI I am asked for my credentials twice. After the second time I am allowed without an issue

Version-Release number of selected component (if applicable):
BUILD: 20121011-1331

How reproducible:
Navigate to the login screen in Safari and enter user credentials.
Comment 1 Lee Newson 2012-11-09 23:26:03 UTC 
I've had a look into this and haven't been able to fix it properly at this stage. The cause is that two sessions are used between HTTPS and HTTP. Seam does allow sharing the data between the two sessions on the server, however from what I've been able to find this only happens if the session already exists and if the session has to be created then it doesn't work.

That is the reason that the second login will work as the first time the session doesn't exist for the HTTP scheme and when you login it creates it, but doesn't contain the information the Identity information and assumes you aren't logged in and redirects you back to the login page. When logging in the second time the Identity is shared to the session and therefore lets you continue to view the unsecured content.

As such I've found two ways to get around this. The first is to make all pages use the HTTPS protocol and the second is to trick seam to create the session when creating the HTTPS session (see: http://www.seamframework.org/Documentation/HttpHttpsSessionLostOnLogout). The second I haven't tested, as I believe the first is the better option anyways. I'll bring it up at our team meeting on Monday and see what is preferred.
Comment 2 Lee Newson 2012-11-12 01:27:10 UTC 
The outcome from our meeting today is to use HTTPS for the entire application.
Comment 3 Lee Newson 2012-11-12 11:30:55 UTC 
Fixed in build 20121111-0821. The fix is now live as of 9.30pm +10GMT.