Announcement Announcement Module
Collapse
No announcement yet.
Session is null on successful login also Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Session is null on successful login also

    Hi,

    We have developed a spring based web application product and it's been running without any issues. Recently we ported the application to another client. The link for our application is embedded within another website developed by another vendor (it's in PHP). The link has been given in an 'IFrame' tag so that our application does not launch as a new tab/window and is visible within the framework of the main website itself. What's happening is that when we launch our application directly (i.e) http://myapp, then we are able to login without any issue. But when our application is accessed from the third party website (from within IFrame) tag, I see a very weird behavior. I have given below the steps of what happens on login

    1. On login 'CustomAuthunticationManager' and 'AuthenticationProcessingFilter' classes are called correctly. The login authentication happens successfully. In the 'onSuccessfulAuthentication' method of 'AuthenticationProcessingFilter' the session is not null and it is a valid one. The code for successful authentication where the session is not null is shown below

    Code:
    protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
                Authentication authResult) throws IOException {
            logger.info("onSuccessfulAuthentication");
            
                HttpSession session = request.getSession();
                logger.info("session in AuthenticationProcessingFilter " + session);
    2. We also have a sessionExpiration filter where we check for session invalidity. When the flow comes to this filter after successful login (for the landing dashboard page), we see that the session is now empty. The filter code is shown below

    Code:
     
    
            httpResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
            httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0.
            httpResponse.setDateHeader("Expires", 0);
    
    HttpServletRequest httpRequest = (HttpServletRequest) request;
     HttpSession session = httpRequest.getSession(false);
                logger.info("session in SessionExpirationFilter "+session);
    3. Since the session is empty, the user gets logged out even in case of successful login.

    4. When I access the application directly (i.e) like 'http://myapp' the above issue never occurs.

    5. When the application is launched from IFrame of the 3rd party website (i.e) like http://myapp/login.htm, the session gets cleared even on successful login. This again doesn't happen every time, but say around 50% of attempted logins.

    The session logout time is 15 min.

    Am not sure whether there is any issue in the code because this is something that has been working quite a long time now. We are not able to pin point why this issue is occurring, whether it is because the application is being accessed from another website, or whether we need to tweak the code. Any help/pointers on this would be greatly appreciated.

    Thanks in advance. Regards
Working...
X