Bug 867507 - required to enter credentials twice
required to enter credentials twice
Product: PressGang CCMS
Classification: Community
Component: Login-service (Show other bugs)
x86_64 Mac OS
unspecified Severity unspecified
: ---
: ---
Assigned To: pressgang-ccms-dev
Depends On:
  Show dependency treegraph
Reported: 2012-10-17 11:52 EDT by Eric Johnson
Modified: 2013-07-03 19:09 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-01 19:53:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eric Johnson 2012-10-17 11:52:15 EDT
Description of problem:
When I login through the Web UI I am asked for my credentials twice. After the second time I am allowed without an issue

Version-Release number of selected component (if applicable):
BUILD: 20121011-1331

How reproducible:
Navigate to the login screen in Safari and enter user credentials.
Comment 1 Lee Newson 2012-11-09 18:26:03 EST
I've had a look into this and haven't been able to fix it properly at this stage. The cause is that two sessions are used between HTTPS and HTTP. Seam does allow sharing the data between the two sessions on the server, however from what I've been able to find this only happens if the session already exists and if the session has to be created then it doesn't work.

That is the reason that the second login will work as the first time the session doesn't exist for the HTTP scheme and when you login it creates it, but doesn't contain the information the Identity information and assumes you aren't logged in and redirects you back to the login page. When logging in the second time the Identity is shared to the session and therefore lets you continue to view the unsecured content.

As such I've found two ways to get around this. The first is to make all pages use the HTTPS protocol and the second is to trick seam to create the session when creating the HTTPS session (see: http://www.seamframework.org/Documentation/HttpHttpsSessionLostOnLogout). The second I haven't tested, as I believe the first is the better option anyways. I'll bring it up at our team meeting on Monday and see what is preferred.
Comment 2 Lee Newson 2012-11-11 20:27:10 EST
The outcome from our meeting today is to use HTTPS for the entire application.
Comment 3 Lee Newson 2012-11-12 06:30:55 EST
Fixed in build 20121111-0821. The fix is now live as of 9.30pm +10GMT.

Note You need to log in before you can comment on or make changes to this bug.