adding support for changing sessionId at login #7111
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pdurbin
added this to Code Review 🦁
in IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
via automation
scolapasta
approved these changes
Jul 30, 2020
IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
automation
moved this from Code Review 🦁
to QA 🔎✅
Jul 30, 2020
|
This works for built in -the session id changes upon log in, but doesn't appear to change when using oauth (orcid). Will also test shib after initial investigation. |
IQSS/dataverse (TO BE RETIRED / DELETED in favor of project 34)
automation
moved this from QA 🔎✅
to Done 🚀
Jul 31, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it: Changes the sessionId at login
Which issue(s) this PR closes:
Closes #3254
Special notes for your reviewer: The code changes here work for the standard login (e.g. as dataverseAdmin) but haven't been checked with other login types. @landreev was going to look for other places where the same sessionId change might be needed for alternate login methods. (FWIW: It does look like this login method calls multiple auth providers, so it may cover all or at least several.) I put the code to change the Id in a util class to make that easier. Nominally this PR doesn't fully close #3254 until it covers a all the login mechanisms. (edit: I was indeed wondering earlier whether this needed to be applied in several places; similar to how we call configureSessionTimeout() from all the different auth provider impls.; but that does not appear to be necessary here: when increasing the session timeout, we wanted to be sure we were doing it only once the user has successfully authenticated/logged in; in this case, we are perfectly fine with issuing a new session before we try to authenticate - L.A.)
Suggestions on how to test this: Open the dev console and watch the jsessionId - cookie (usually) or in the URL -when you succeed in logging in, it should change, and the login should succeed as normal (i.e. no changes except to the session id)
Please test with different auth providers - Shib, etc. - in addition to the builtin provider.
Does this PR introduce a user interface change? If mockups are available, please link/include them here: No
Is there a release notes update needed for this change?:
Additional documentation: