Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14404

Multiple calls being made to session endpoint by XUI when session cookie lost

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0, 7.0.0
    • Fix Version/s: None
    • Component/s: XUI
    • Labels:

      Description

      Bug description

      Since OPENAM-13836 was committed there has been an issue with the session time out where by multiple calls are being made to session endpoint to logout.
      The change in OPENAM-13836 was required to insure the Configuration.loggedUser was not deleted from the UI until after a user was able to successfully log out. This was the correct solution, however the knock on is that when a session token times out, or is revoked, or deleted, the XUI is using the Configuration.loggedUser object as a guard to stop the logout functionality from being triggered multiple times.
      The way the session timeout works in the UI is that upon getting a 401 the user is logged out sessions?_action=logout and sent to the session timeout view. Without the working guard, this endpoint will be hit once per failed rest call.

      One example might be an Admin who decides to revoke all the sessions in a realm due to high demand. The result will be an increase in rest calls, not as decrease.

      How to reproduce the issue

      1. Login as demo
      2. Open the browser console and delete the session cookie
      3. Navigate to the user Dashboard
      Expected behaviour
      The `sessions?_action=logout` endpoint is hit 1 time only.
      Navigating to the session timeout page directly. 
      
      Current behaviour
      The `sessions?_action=logout` endpoint is hit 6 times to match the 6 failed calls for the Dashboard page. 12 x 401s in total.
      (Once OPENAM-14273 has been committed, navigating to the Dashboard page will generate 9 rests calls, which would result in 9 logout actions and 18 x 401's in total)
      A flash of the Dashboard is seen before navigating to the session timeout page. 
      
      Code Analysis

      Shouldn't be difficult to resolve. We just need to use a different variable as the guard.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              julian.kigwana@forgerock.com Julian Kigwana [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: