Same session with different credentials fix

[asotog]

Noticed that after login with 2 different users the JSESSIONID was the same, so found that ephemeralSessionConfiguration fixes that issue because on every request sends clean data instead of sending the same session every time in the server request,

Steps to reproduce: found that calling service with user A worked fine but when calling service with user B, server assumes is user A because of same JSESSIONID in the request cookie

Thanks in advance,

[yuchi]

We already do this in Liferay Connector. It's a little bit more heavy for the server, AFAIK.

[asotog]

Hi, Whats Liferay Connector ? We found this issue when trying to retrieve logged user from service (java code) using the PrincipalBean.getUser() method , submitted approach just need a change on client code

[yuchi]

See https://github.com/smclab/Liferay-connector

It's the Node.js and Titanium sibling of Liferay Mobile SDK.

[asotog]

Awesome, didnt know a nodejs client exists, but we are using the swift application directly calling the liferay server :(

[brunofarache]

Thanks for catching this @asotog. I tried to reproduce it with a test but couldn't:

https://github.com/brunofarache/liferay-mobile-sdk/commit/c895c162a2b76be4dfcb7d2521f58f265f493a0c

I did this:

1. Created a user with email "bruno.farache@liferay.com". Haven't assigned him to any site.
2. I try first to call getUserSites() for the admin user ("test@liferay.com").
3. It returns 2 sites (XCTAssertEqual(2, [groups count]);)
4. I make the same getUserSites for the user I just created.
5. It returns 1 site (XCTAssertEqual(1, [groups count]);). As expected.

If I was able to reproduce, it should be returned 2 sites for the "bruno" user, the same sites as the "admin" user.

Which services are you using to reproduce this?

[asotog]

i think is an issue happening in the backend, we are calling a custom service, custom service retrieves user using self.getUser(), getUser method is part PrincipalBean class, when getUser is called for User B it still has the same JSESSIONID User A used initially,

for example lets say we have a method like getUserBookmarks() -> NSArray but that method automatically retrieves the user under the hood (notice that method has no parameters to identify which bookmarks is going to retrieve) in the backend, so e.g, User A calls it, retrieves User A bookmarks but then logged out and User B calls same method but gets User A bookmarks instead of User B ones Thats pretty much what happened on our project,

[brunofarache]

Tried another test:

https://github.com/brunofarache/liferay-mobile-sdk/commit/9e879c41994f0d9c1b3d899bb36450d75b359062

Getting the authenticated user by email address. "bruno" can't fetch "admin" user's information. So, can't reproduce yet.

But I will just merge the change, I don't think it will break anything else.

I double checked synchronous requests as I think we are good because we are using NSURLRequestReloadIgnoringLocalCacheData for cachePolicy:

https://github.com/brunofarache/liferay-mobile-sdk/blob/master/ios/Source/Http/LRHttpUtil.m#L67

[asotog]

Ahh forgot to mention it happens on async requests :(

[brunofarache]

Oh yeah, I knew. I was just saying synchronous requests probably doesn't have this issue. If you could double check, it would be great.