Describe the bug
When a user logs out and logs back in via OIDC/SSO within the same browser tab, the "Assign to me" button on alerts assigns the alert to the previously logged-in user instead of the current one.
This is caused by userWhoami being cached in sessionStorage and not cleared on logout. When a new user logs in, the stale user_id from the previous session is used by the "Assign to me" action.
Relevant code in common.js:
let userWhoami = JSON.parse(sessionStorage.getItem('userWhoami'));
Relevant code in alerts.js:
onclick="updateAlert(${alert.alert_id}, {alert_owner_id: userWhoami.user_id}, true)"
To Reproduce
- Log in as
administrator (local account)
- Log out
- Log in as a different user via OIDC/SSO (same browser tab)
- Go to Alerts
- Click "Assign to me" on any alert
- The alert is assigned to
administrator instead of the currently logged-in user
Expected behavior
The alert is assigned to the currently authenticated user.
Screenshots
N/A
Desktop (please complete the following information):
- OS: Ubuntu 24.04
- Browser: Firefox 151.0
- Version: IRIS v2.4.27
Smartphone (please complete the following information):
N/A
Additional context
Deployed via Docker using the official docker-compose setup.
The userWhoami object is correctly returned by /user/whoami for the current user, but the cached value in sessionStorage is not invalidated on logout, causing the stale user_id to be used.
Workaround: run in browser console after re-login:
sessionStorage.removeItem('userWhoami');
location.reload();
Suggested fix: clear userWhoami from sessionStorage on logout, or force userWhoamiRequest(true) on every page load regardless of cache.
Describe the bug
When a user logs out and logs back in via OIDC/SSO within the same browser tab, the "Assign to me" button on alerts assigns the alert to the previously logged-in user instead of the current one.
This is caused by
userWhoamibeing cached insessionStorageand not cleared on logout. When a new user logs in, the staleuser_idfrom the previous session is used by the "Assign to me" action.Relevant code in
common.js:Relevant code in
alerts.js:To Reproduce
administrator(local account)administratorinstead of the currently logged-in userExpected behavior
The alert is assigned to the currently authenticated user.
Screenshots
N/A
Desktop (please complete the following information):
Smartphone (please complete the following information):
N/A
Additional context
Deployed via Docker using the official
docker-composesetup.The
userWhoamiobject is correctly returned by/user/whoamifor the current user, but the cached value insessionStorageis not invalidated on logout, causing the staleuser_idto be used.Workaround: run in browser console after re-login:
Suggested fix: clear
userWhoamifromsessionStorageon logout, or forceuserWhoamiRequest(true)on every page load regardless of cache.