Topic
  • 4 replies
  • Latest Post - ‏2011-04-20T13:40:50Z by tzhao
tzhao
tzhao
15 Posts

Pinned topic How to programmatically get LTPA and LTPA V2 cookie name

‏2011-04-18T18:44:29Z |
Since WebSphere v8 allows user to set LTPA and LTPA V2 cookie name (from Security -> Global security -> Single sign-on (SSO)), how can application retrieve the LTPA and LTPA V2 cookie name programmatically? Similarly, how to retrieve the HTTP session cookie name since it is also configurable. The purpose of it is to programmatically cleanup those cookies from the application.

Thanks!
Updated on 2011-04-20T13:40:50Z at 2011-04-20T13:40:50Z by tzhao
  • kark
    kark
    18 Posts

    Re: How to programmatically get LTPA and LTPA V2 cookie name

    ‏2011-04-19T15:48:13Z  
    Hi,

    Irrespective of what cookie names are used (default or customized), you can use the revokeSSOCookies method in WSSecurityHelper class to clean out the LTPA cookies and invalidate the session.

    Here is the link to WSSecurityHelper.
    http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/security/WSSecurityHelper.html

    --Ajay Reddy
  • tzhao
    tzhao
    15 Posts

    Re: How to programmatically get LTPA and LTPA V2 cookie name

    ‏2011-04-19T22:54:26Z  
    • kark
    • ‏2011-04-19T15:48:13Z
    Hi,

    Irrespective of what cookie names are used (default or customized), you can use the revokeSSOCookies method in WSSecurityHelper class to clean out the LTPA cookies and invalidate the session.

    Here is the link to WSSecurityHelper.
    http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/security/WSSecurityHelper.html

    --Ajay Reddy
    Hi Ajay,

    Thanks for your help!

    According to the document, revokeSSOCookies(HttpServletRequest, HttpServletResponse) method removes the WebSphere Application Server Single Sign-on (SSO) cookies if SSO is enabled.
    You suggested to "use the revokeSSOCookies method in WSSecurityHelper class to clean out the LTPA cookies and invalidate the session".
    Does invalidating SSO cookie also invalidate the HTTP session? Or does this method also remove the HTTP session cookie?

    Thanks,
    Ting
  • kark
    kark
    18 Posts

    Re: How to programmatically get LTPA and LTPA V2 cookie name

    ‏2011-04-20T03:08:49Z  
    • tzhao
    • ‏2011-04-19T22:54:26Z
    Hi Ajay,

    Thanks for your help!

    According to the document, revokeSSOCookies(HttpServletRequest, HttpServletResponse) method removes the WebSphere Application Server Single Sign-on (SSO) cookies if SSO is enabled.
    You suggested to "use the revokeSSOCookies method in WSSecurityHelper class to clean out the LTPA cookies and invalidate the session".
    Does invalidating SSO cookie also invalidate the HTTP session? Or does this method also remove the HTTP session cookie?

    Thanks,
    Ting
    Ting,

    The session is invalidated when you use the form logout (eg adminConsole logout). However, when using the programmatic logout using this API, only the SSO cookies are cleared (as the Javadoc indicates) and the application can invalidate the session using session.invalidate() to invalidate the session. Sorry for the confusion.

    --Ajay
  • tzhao
    tzhao
    15 Posts

    Re: How to programmatically get LTPA and LTPA V2 cookie name

    ‏2011-04-20T13:40:50Z  
    • kark
    • ‏2011-04-20T03:08:49Z
    Ting,

    The session is invalidated when you use the form logout (eg adminConsole logout). However, when using the programmatic logout using this API, only the SSO cookies are cleared (as the Javadoc indicates) and the application can invalidate the session using session.invalidate() to invalidate the session. Sorry for the confusion.

    --Ajay
    Hi Ajay,

    Thanks!
    Ting