You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The changes of #6047 have broken the handling of expired http sessions. This seems to stem from the sessionDestroyed method being moved from KitodoVersionListener to SessionService. The later is not annotated as WebListener (as KitodoVersionListener is). Adding the annotation alone does not resolve the issue, but moving the sessionDestroyed method back to KitodoVersionListener does, so we probably need a dedicated HttpSessionListener extension to handle expiring sessions, instead of (mis-)using the service class SessionService or the KitodoVersionListener for this purpose.
To Reproduce
Steps to reproduce the behavior:
Log into Kitodo with one user account in one browser (for example Chrome)
Close the browser (without logging out of Kitodo)
Log into Kitodo with a different user account in a different browser (for example Firefox)
After http session expires (check web.xml for session timeout value) check the user list in the second browser
See error that first user - whose http session is expired - is still displayed as logged into the system on the user page - which also results in his metadata locked processes not being released!
Expected behavior
User sessions should expire on http session timeout even if the user does not have an open Kitodo window in the browser.
Release
3.8, current main branch
The text was updated successfully, but these errors were encountered:
Describe the bug
The changes of #6047 have broken the handling of expired http sessions. This seems to stem from the
sessionDestroyedmethod being moved fromKitodoVersionListenertoSessionService. The later is not annotated asWebListener(asKitodoVersionListeneris). Adding the annotation alone does not resolve the issue, but moving thesessionDestroyedmethod back toKitodoVersionListenerdoes, so we probably need a dedicatedHttpSessionListenerextension to handle expiring sessions, instead of (mis-)using the service classSessionServiceor theKitodoVersionListenerfor this purpose.To Reproduce
Steps to reproduce the behavior:
web.xmlfor session timeout value) check the user list in the second browserExpected behavior
User sessions should expire on http session timeout even if the user does not have an open Kitodo window in the browser.
Release
3.8, current main branch
The text was updated successfully, but these errors were encountered: