[ https://issues.apache.org/jira/browse/OFBIZ-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16401683#comment-16401683 ] Jacques Le Roux edited comment on OFBIZ-4959 at 3/19/18 10:18 AM: ------------------------------------------------------------------ I completed the fix in trunk r1826938   R17.12 r1826939 R16.11 r1826943 I used the only available (and I must say confusing) WebappInfo.getName() when I needed the webAppName not the WebappInfoName. So this put in a new WebappInfo.getMountPoint() and use it in getWebappInfo Also use LoginWorker.autoLoginSet() in different places where I missed it. In other words all autoUserLogin coockies are deleted on login and logout, and an autoUserLogin cookie is created when going locally from a webapp to another, with checkExternalLoginKey was (Author: jacques.le.roux): I completed the fix in trunk r1826938   R17.12 r1826939 R16.11 r1826943 > Logout do not remove autoLogin > ------------------------------ > > Key: OFBIZ-4959 > URL: https://issues.apache.org/jira/browse/OFBIZ-4959 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS > Affects Versions: Release 09.04, Release 10.04 > Environment: Windows 2003 Server. Apache Ofbiz 2004 and Ofbiz 10 > Reporter: Roberto Benítez Monje > Assignee: Jacques Le Roux > Priority: Major > Labels: logout, security > Fix For: 17.12.01, 16.11.05 > > Attachments: OFBIZ-4959.patch, OFBIZ-4959.patch > > Original Estimate: 70,056h > Remaining Estimate: 70,056h > > Logout method do not disable autoLogin functionality. Instead of that it just initializes autoLogin in session and request. > It have to be replace autoLoginCheck for autoLoginRemove inside of logout method. > {code:title=LoginEvents/LoginWorker.java|borderStyle=solid} > public static String logout(HttpServletRequest request, HttpServletResponse response) { > // invalidate the security group list cache > GenericValue userLogin = (GenericValue) request.getSession().getAttribute("userLogin"); > String returnValue = "success"; > if (request.getAttribute("_AUTO_LOGIN_LOGOUT_") == null) { > try { > returnValue = autoLoginRemove(request, response); > } catch (IOException e) { > Debug.logWarning(e, "", module); > } > } > // log out from all other sessions too; do this here so that it is only done when a user explicitly logs out > logoutFromAllSessions(userLogin); > doBasicLogout(userLogin, request); > return returnValue; > } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)