How to make my loggin page stateless ?

[Francois]

Hello,

We encouter a problem where my loggin page is statefull and it seems to make jetty 9 session manager behave strangely (see: https://groups.google.com/forum/#!topic/liftweb/lcn6U6_Igxk).

There is actually no reason to have that login page statefull even if sure enought, a session is created, the Lift request is marked stateful, a jsessionid cookie is set.

The page is pure HTML but for one snippet which is stateless (only rewrite some html given some server-side info that never change until reboot).

When looking at the source, the body in the page containes the id/liftgc attributes.

So, how can I tell to list that that page (and only that one) should be stateless? Is there something special to add somewhere ? I know how to do stateless REST API with LiftRules.statelessDispatch and by building from scratch the response, but in that case I have an HTML page in my webapp directory and I would prefer to continue to use Lift build-in logic for the request <-> HTML mapping.

Thanks for any help, even resources toward docs would be appreciated (I didn't find them if they exist, sorry).

-- 
Francois ARMAND - @fanf42
https://github.com/Normation/rudder
http://www.normation.com

[Francois]

Of course, I found an (start) of an answer just after posting: https://cookbook.liftweb.net/book.html#discussion-2ksLtair

So I just have to append ">> Stateless" next to the page in SiteMap.

But it is only one part of the solution, because I need to actually clean up anything about the jsessionid (cookie, url parameter) when the user come to that page. Is it possible?

[Francois]

Some more information: even if in SiteMap I added ">> StateLess", that in Boot.scala I added:

    LiftRules.statelessReqTest.append {
      case StatelessReqTest(           Nil, _ ) => true
      case StatelessReqTest("index" :: Nil, _ ) => true
    }

Now, the page doesn't have anymore the added tag in body (data-lift-session-id and data-lift-gc).

But at the end of the page, there is still:

<script type="text/javascript" src="/rudder-web/lift/page/F545932278512IYUW4F.js"></script>

And when debugging session state, I get:

=====> Processing [F5459322785114FKPV4 // F545932278510WBUWQR] request: http://localhost:8082/rudder-web/
=====> CREATE Session [F545932278529DK50RC // node0a4gxkmz5yqvg1wst97ysg66nq29] with [http://localhost:8082/rudder-web/lift/page/F545932278512IYUW4F.js]
=====> Processing [F545932278529DK50RC // node0a4gxkmz5yqvg1wst97ysg66nq29] request: http://localhost:8082/rudder-web/lift/page/F545932278512IYUW4F.js
=====> Processing [F545932278529DK50RC // node0a4gxkmz5yqvg1wst97ysg66nq29] request: http://localhost:8082/rudder-web/lift/page/F545932278512IYUW4F.js

How can I make the page really stateless (and why double request towards /lift/page/F545932278512IYUW4F.js) ?

Thanks !

[Antonio Salazar Cardozo]

Yeouch. That's straight up a bug. We should not include a page JS file on pages that aren't

stateful, but we definitely do. We should probably, in these cases, dump the page JS at the

end of the page in a script tag… Or just not do event extraction. Either way things get hairy

in the world of content security policy.

Please file an issue, this is definitely something we need to fix.

Thanks,

Antonio

[Francois]

Issue opened here: https://github.com/lift/framework/issues/1946

The root cause seems to be the use of HttpServletRequest.changeSessionId, as demoed in the minimal project here: https://github.com/fanf/demo-bug-lift-session

Hope it helps

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.