Cookies help us deliver our services.

By using our services, you agree to our use of cookies. Learn more

I understand

Details
Category: Liferay
Hits: 5716

Today I'll show you how to solve a problem perhaps not too frequent but useful in some contexts.

The case history is quite simple to explain: while browsing a Liferay site as a Guest user I need to set some session variables and then, when the user logs in, these variables must remain in the session. Although there are several different ways to solve the problem with Liferay, I'll show you what I think to be the safest and most elegant one.

The most classic example that comes to my mind is the shopping cart of an e-commerce site: the guest user starts to fill the cart and all the items end up in the session but at the time of the payment the user must log in and the cart must not be lost after login.

Liferay default settings do not allow you to do this because at the time of the login the user session (the guest user) is invalidated and therefore all data is lost; the reason for this behavior lies in the need to avoid phishing issues.

Therefore the first solution that can be put in place is to completely disable the protection against phishing and this can be done by setting the following property in the portal-ext.properties file:

session.enable.phishing.protection=false

Needless to say, this solution is a bit brutal and it would be better to avoid it; however, there is another much more useful property:

session.phishing.protected.attributes=\
    CAS_LOGIN,\
    HTTPS_INITIAL,\
    LAST_PATH,\
    OPEN_ID_CONNECT_SESSION,\
    SETUP_WIZARD_PASSWORD_UPDATED

This property does nothing but list the name of the session variables that must be copied to the new session when the user logs in; the only thing to keep in mind is that these session variables must be stored within the HTTP session of the original portal request, so forget the PortalSession!

Let's see a practical example. First we need to add our session variable to the list and restart the portal:

 

session.phishing.protected.attributes=\
    CAS_LOGIN,\
    HTTPS_INITIAL,\
    LAST_PATH,\
    OPEN_ID_CONNECT_SESSION,\
    SETUP_WIZARD_PASSWORD_UPDATED,\
    MY_SESSION_VARIABLE

Then we must remember that the variable must be stored within the HTTP session of the original portal request:

import javax.portlet.PortletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import com.liferay.portal.kernel.util.PortalUtil;

// [...]
 
HttpServletRequest request = PortalUtil.getHttpServletRequest(portletRequest);
request = PortalUtil.getOriginalServletRequest(request);

HttpSession session = request.getSession();

Once the HTTP session is retrieved we can read and write our variable:

MyObject myObject = ...;
session.setAttribute("MY_SESSION_VARIABLE", myObject);

MyObject myObject = (MyObject) session.getAttribute("MY_SESSION_VARIABLE");

That's all!

Enjoy!