Trevor Russ wrote:
Using XEM 1.9.3 or XE 2.0 M2.
If I logout and login again without closing the browser, the session resumes to the last
page I was browsing. I don't know if that's a feature ("resuming your
session") or a bug (not restarting at the dashboard).
But this also happens if I login as a different user using the same browser: it resumes
the previous users' session.
And if that previous user had admin rights, when a user with no admin rights logs in it
goes to the last page that the admin was browsing. If that page requires admin rights, it
says "You are not allowed to view this document or perform this action."
Of course, it won't be often that one browser will be used for different login IDs,
but it should not resume the session of another user when you log in.
This is not about the session, but a feature of our login form.
When trying to view a page that requires authentication, the login form
is displayed, with a hidden input that identifies the page you tried to
view. This is plain HTML, no session magic.
After logging in, XWiki redirects you to the page you tried to view.
Now, the problem is that when logging out, you are also redirected back
to the original document you were viewing.
So, user A is logged in and is looking at document M. User A logs out,
and since viewing the document requires an authenticated user, the login
form is displayed, remembering document M as the visited document. When
user B logs in, he simply sees the document which triggered the login form.
I think that both features are needed for a normal wiki: logging out
displays the same document, logging in displays the same document. If
you don't like this behavior, then changing the login form so that it
doesn't remember the previous document is easy, just edit
/templates/login.vm and remove this line:
<input type="hidden" name="xredirect"
value="$!request.xredirect"/>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/