Message Boards

AutoLogin called every time private page clicked

thumbnail
saravanan muniraj, modified 4 Years ago.

AutoLogin called every time private page clicked

Junior Member Posts: 95 Join Date: 6/1/11 Recent Posts
All our site pages are private pages , So the user are forced to login first (Cookie based authentication ) override the AutoLogin  as per the Liferay 7 documentation (https://dev.liferay.com/en/develop/tutorials/-/knowledge_base/7-0/auto-login)User authentication works as expected , establish the session  too . but every time user click  any  private pages AutoLogin call again.<session-timeout>30</session-timeout>  is being set in web.xml
the following are the properties settingsession.timeout.warning=0
session.timeout.auto.extend=true
session.timeout.auto.extend.offset=300
session.timeout=40
auth.simultaneous.logins=false
As per I understanding , Autologin called first and establish the  user sessions , till the sessions persist autologin class should not be invoked again.  please let me know  if I missing any setting or configuration . Liferay DXP 7.0 is used.
thanks
thumbnail
Olaf Kock, modified 4 Years ago.

RE: AutoLogin called every time private page clicked

Liferay Legend Posts: 6396 Join Date: 9/23/08 Recent Posts
It doesn't sound like this will likely solve your problem, but there's at least one with the configuration you quote: With <session-timeout>30</session-timeout> the appserver will time out your session in 30 minutes. With session.timeout=40, Liferay will assume that the appserver times out the session after 40 minutes. In other words, when Liferay attempts to extend the session after 40 minutes (session.timeout.auto.extend=true), the session is long gone. At a minimum, both should be the same value. If they're different, Liferay's portal-ext.properties value should be lower than the appserver's.
thumbnail
saravanan muniraj, modified 4 Years ago.

RE: AutoLogin called every time private page clicked

Junior Member Posts: 95 Join Date: 6/1/11 Recent Posts
Actually the issue is after user Authenticated and logged in successfully , again  AutoLogin called in multiple times for the same user immediate after login.
To resolve this issue I thought setting 
session.timeout=40,session.timeout.auto.extend=true
session.timeout.auto.extend.offset=300
session.timeout=40
auth.simultaneous.logins=false in portal.ext.properties   would help. 
See the below code for Customization AutoLogin code .  Please do point What would be likely cause  for this issues 
public String[] login(
   {
    final String[] credentials = new String[3];
    Cookie cookie = getCookie((HttpServletRequest) request, PropsUtil.get(COOKIE_NAME));    if(cookie == null){
        request.setAttribute(AutoLogin.AUTO_LOGIN_REDIRECT, getRedirectUrl(request));
    }else{
        ValidateCookieResponse validateCookieResponse = Authenticate(cookie.getValue());
        if(validateCookieResponse != null){
                String userName = validateCookieResponse.getUser().getUserLogin();                                                  
                    if (StringUtils.isBlank(userName)){
                        request.setAttribute(AutoLogin.AUTO_LOGIN_REDIRECT, getRedirectUrl(request));
                    }else{
                        long companyId = PortalUtil.getCompanyId(request);
                        com.liferay.portal.kernel.model.User user = null;
                        try {
                            user = UserLocalServiceUtil.getUserByScreenName(companyId, userName);
                        } catch (PortalException e) {
                            request.setAttribute(AutoLogin.AUTO_LOGIN_REDIRECT, getRedirectUrl(request));
                        }
                        if(user != null){                               credentials[0] = String.valueOf(user.getUserId());
                            credentials[1] = user.getPassword()
                            credentials[2] = String.valueOf(user.isPasswordEncrypted()) ;                                                              
                            return credentials;
                        }else{                            request.setAttribute(AutoLogin.AUTO_LOGIN_REDIRECT, getRedirectUrl(request));
                        }
                    }
                }
            }
        }else{            request.setAttribute(AutoLogin.AUTO_LOGIN_REDIRECT, getRedirectUrl(request));
        }
    return credentials;
thanks
thumbnail
Eric COQUELIN, modified 4 Years ago.

RE: AutoLogin called every time private page clicked

Expert Posts: 254 Join Date: 11/3/13 Recent Posts
I haven't checked but may be the AutoLogin be called everytime...
After authentication, you should have one cookie being set : JSESSIONID. Can you check ?
From that moment, for each request, Liferay will check against this cookie and if valid will consider your used as logged in.
thumbnail
saravanan muniraj, modified 4 Years ago.

RE: AutoLogin called every time private page clicked

Junior Member Posts: 95 Join Date: 6/1/11 Recent Posts
Thanks Eric,JSESSIONID is not set for the  cluster server . How to fix it ?

below is the Clustered configuration on portal-ext.properties# server 1
cluster.link.enabled=true
cluster.link.autodetect.address=<db-server-name>:1433
web.server.display.node=true

# server 2
cluster.link.enabled=true
cluster.link.autodetect.address=<db-server-name>:1433
web.server.display.node=true
thumbnail
Olaf Kock, modified 4 Years ago.

RE: AutoLogin called every time private page clicked

Liferay Legend Posts: 6396 Join Date: 9/23/08 Recent Posts
saravanan muniraj:

Thanks Eric,JSESSIONID is not set for the  cluster server . How to fix it ?
Tomcat, or any application server, will set the JSESSIONID cookie to make sure that the client's session will be referenced in future requests. If you actively work against it, you'll find that somewhere in your infrastructure (it might just be the browser denying cookies, it might be the loadbalancer ignoring them).
The settings that you quote have nothing to do with the web layer setting cookies to the browser.
Without the session cookie, there's simply no persisted authentication, thus you'll have to re-authenticate every single request.