Bug 205978 - Login from Logout.do page fails
Summary: Login from Logout.do page fails
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: John Matthews
QA Contact: wes hayutin
URL:
Whiteboard:
Depends On:
Blocks: 248627
TreeView+ depends on / blocked
 
Reported: 2006-09-11 06:11 UTC by David Ash
Modified: 2008-04-03 00:17 UTC (History)
0 users

Fixed In Version: sat510
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-04-03 00:17:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description David Ash 2006-09-11 06:11:44 UTC 
Description of problem:
Login from Logout.do page fails

Version-Release number of selected component (if applicable):
I think I first found this on rhn400 but don't know about versions before this.
 rhn410 looks to still be vulnerable, but users may not ever find out on rhn410
as when a user clicks on "logout" they are redirected to the "Login.do" page,
and never actually go to the "Logout.do" page.  But you can still typed in
Logout.do manually and try to login and fail.

How reproducible:
Every time

Steps to Reproduce:
1. go to Logout.do page
2. try logging in and it will redirect you to the login page and not log you in
(tested many times using saved password account as well as other accounts I got
people to test)

In rhn400 people might
1. login
2. "sign out" which will redirect you to "Logout.do" page
3. login from this page will fail and redirect you to Login.do page
4. login will then work

In rhn410 people might
1. login
2. "sign up" which will redirect you to "Login.do" from which logins will work
However if users manually type in "Logout.do" or have a bookmark and try logging
in, this will also fail.
  
Actual results:
Login from "Logout.do" page fails

Expected results:
Login from "Logout.do" page should work

Additional info:
I don't know if this is it, but the source of the html (as publicly seen from
the client side) has:
Logout.do page has:
    <form id="loginForm" method="post" action="/rhn/ReLoginSubmit.do">
Login.do page has:
    <form id="loginForm" method="post" action="/rhn/LoginSubmit.do">
Comment 1 John Matthews 2008-01-22 19:44:24 UTC 
Sending        code/webapp/WEB-INF/pages/common/relogin.jsp
Transmitting file data .
Committed revision 135987.
Comment 2 John Matthews 2008-01-24 15:06:53 UTC 
Reverted the previous commit, which removed "url_bounce" from relogin.jsp, this
fixed the Logout.do problem described here, but it also broke the functionality
of having a relogin automatically go to the intended page.
Comment 3 John Matthews 2008-01-24 15:19:57 UTC 
I believe this is what's happening with the described problem.
Scenario #1
1) User is logged in
2) User goes to URL "/rhn/Logout.do"
3) User is logged out and brought to a login prompt
4) User enters login info and Login is successful

Scenario #2
1) User is logged out
2) User goes to URL "/rhn/Logout.do"
 Note:  Viewing HTML source will show that form variable "url_bounce=/rhn/Logout.do"
3) User enters login info
4) Login is successful, yet user doesn't see this since "LoginAction" sends a
response.redirect(url_bounce).  Which for this case, means user is brought back
to Logout.do, which will log the user out and redisplay a login prompt.
5) Login prompt is displayed.
Note: form var url_bounce is now set to "/rhn"
6) User types login info and is brought to YourRHN
Comment 4 John Matthews 2008-01-24 19:47:56 UTC 
Added a special case, so when url_bounce = Logout.do, it will forward to YourRHN
and not continue with an immediate Logout.

Sending        com/redhat/rhn/frontend/action/LoginAction.java
Transmitting file data .
Committed revision 136071.
Comment 5 wes hayutin 2008-01-28 14:56:42 UTC 
verified build 84
Comment 6 Brandon Perkins 2008-04-03 00:17:22 UTC 
5.1 Sat GA so Closed for Current Release.
Note You need to log in before you can comment on or make changes to this bug.