[OPENAM-8077] XUI does not overwrite stateless session on session upgrade Created: 10/Jan/16  Updated: 20/Apr/17

Status: Open
Project: OpenAM
Component/s: authentication
Affects Version/s: 13.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: David Luna Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: Backlog, authentication, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
depends on OPENAM-7570 Session Upgrade from Anonymous login ... Resolved


After session upgrading a stateless session, a new cookie is returned to the user's browser containing the details of the upgraded session. The XUI currently does not overwrite its existing cookie with this new one, meaning the session upgrade never propagates back to the client (and is therefore 'lost' as the server retains no state).

Steps to reproduce:

i) Activate stateless sessions
ii) Create an anonymous auth module, called anonymous
iii) Log in with the anonymous auth module, &module=anonymous
iv) Without logging out, log in with &service=ldapService as demo user

You should see: The demo user's account page
You do see: The anonymous user's account page

Upon checking the state of the browser's cookies, the client still has the anonymous user's cookie rather than the newly-generated demo user's.

The classic UI works correctly, and displays the anonymous user's account page.

Comment by Boo Leong KHOO [ 22/Mar/16 ]

Does disabling the XUI for login page workaround this bug?

Generated at Sat Oct 31 01:36:24 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.