relogin after session timeout

掲示板

10年前に kavitha pazhanee によって更新されました。

relogin after session timeout

New Member 投稿: 8 参加年月日: 13/07/24 最新の投稿

Hi all,
I am using liferay 6.1.20 EE server.
In my private page i have a portlet and i do a form submit in it so that it will render a post request with p_auth token in it.
I kept the session idle for some time so that the session gets expired.I refreshed the page and it navigated to my login page. I gave the credentials and it tries to load the same as in the previous session with the post request. As it has the same p_auth token value as the previous session, it throws forbidden error as.

Forbidden
You do not have permission to access the requested resource

As it was a problem with p_auth token, i tried disabling it in portal-ext.properties with the property value.
auth.token.check.enabled=false

but now when i try to relogin after the session timeout it throws principal exception as below.
com.liferay.portal.security.auth.PrincipalException: /group/test/user-management?p_p_id=125&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=1&_125_struts_action=%2Fusers_admin%2Fedit_user
at com.liferay.portal.struts.PortletRequestProcessor.process(PortletRequestProcessor.java:165)
is there a way to resolve the issue?
is there a way to navigate to a default landing page after re-login from session timeout instead of going to the previous session?

Please guide me on this

Thanks in advance!

10年前に Tomáš Polešovský によって更新されました。

RE: relogin after session timeout

Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿

Hi,

with every new session there is a new p_auth token (CSRF).

There can be the problem that you have p_auth token still in the URL after sign in - when you submit a form, it's mostly an action phase that has the token in the URL. When you sign in, login portlet sends you back to the action url with the old p_auth token.

Try to google for "redirect after submit liferay" and implement that for your portlet. This way the action URL with p_auth token won't be the last URL you'll be redirected to.

HTH.

Btw. don't set auth.token.check.enabled=false, you disable CSRF protection << serious security issue.

10年前に kavitha pazhanee によって更新されました。

RE: relogin after session timeout

New Member 投稿: 8 参加年月日: 13/07/24 最新の投稿

Hi Tomas,
Thanks for your reply. The redirect url with in the portal works perfectly fine. I am facing the issue only on session time out. It happens across the site even with the liferay portlets.
Say for e.g i logged in as site admin and went to control panel users and organizations page and saved a user.

After getting the success message, that "Your request processed successfully". I left the page idle for some time so that the session got timed out as in the screenshot attached. Please note the p_auth value here.

Now i refresh the page with F5 which redirected me to liferay login page.

After entering the site admin credentials in login page, it redirected back to users and organization page in control panel with the same p_auth token as in the attached screenshot.
And throws the Forbidden error message.

Any help on this please.

10年前に Jeff Rade によって更新されました。

RE: relogin after session timeout

New Member 投稿: 1 参加年月日: 14/04/03 最新の投稿

I am having the same issue. Does setting session.timeout.redirect.on.expire=true fix this?

9年前に Tomas Polesovsky によって更新されました。

RE: relogin after session timeout

Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿

I think the simplest solution here is to enable session.timeout.auto.extend.

This should keep the session opened as long as browser contains portal pages.