Topic
4 replies Latest Post - ‏2014-01-05T12:05:18Z by Nisreen123
Vivekanandsk
Vivekanandsk
1 Post
ACCEPTED ANSWER

Pinned topic WebSEAL - WAS 7 - TAI++ Session Invalidation Problem

‏2013-03-12T17:50:00Z |
I have a web app deployed on WAS 7 behind TAM WebSEAL 6.1, uses TAI, LTPA2 single sign-on
User login and SSO is working perfectly.
At logout, "HTTPSession.invalidate()" is invoked and "https://<webseal url>/pkmslogout" is called.
Problem is:
After logout, WebSEAL session seems to clear, but the WebSphere JSESSIONID cookies stays. Also the session cache on the WAS has the old user information when logged in with new user.

Does anyone know, If I'm doing correct logout implementation?
Is there any other configuration in SSO settings that protects this session cache to be deleted when session is invalidated?

Thank you.
  • rochbu
    rochbu
    1 Post
    ACCEPTED ANSWER

    Re: WebSEAL - WAS 7 - TAI++ Session Invalidation Problem

    ‏2013-04-26T15:29:50Z  in response to Vivekanandsk

    I'd be interested in any resolution to this issue. We have the same scenario.

     

    Thanks,

     

    Rob

  • Raj A
    Raj A
    3 Posts
    ACCEPTED ANSWER

    Re: WebSEAL - WAS 7 - TAI++ Session Invalidation Problem

    ‏2013-07-18T15:23:47Z  in response to Vivekanandsk

    Do something like this in the logout.html on webseal:

    function deleteCookie(name,path,domain)
    {

        // Set expiration date to last year
        var edate = new Date();
        edate.setYear(edate.getYear() -1);
        var eDateStr = edate.toGMTString();
        // expire the cookie
        var cookieStr = name+"=;expires=" + eDateStr;
        if(path!=null)
            cookieStr+=";path=" + path;
        if(domain!=null)
            cookieStr+=";domain=" + domain;
        document.cookie=cookieStr;
        //alert(cookieStr);
    }
     and load in on the body


    <body onLoad="deleteCookie('JSESSIONID','/',null);setTimeout('delayer()', 5)">

  • JoshR
    JoshR
    1 Post
    ACCEPTED ANSWER

    Re: WebSEAL - WAS 7 - TAI++ Session Invalidation Problem

    ‏2014-01-03T22:47:52Z  in response to Vivekanandsk

    Was the suggested approach useful? 

     

    I have similar setup; however, I'm using a junction with forms-based authentication.  I need to ensure that the application returns to the login form after a logout button is clicked for another user to provide credentials.  I am trying to do this with a logout method in a Managed Bean on the server (see below).  I am receiving a 404 Error with this code.  Is this a Webseal configuration problem?  Will the attempt to invalidate the session from the server work?

     

    public String logout(){

     

    Log.logInfo("AUDIT", String.format("Logout called -- invalidate user session"));

     

    ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();

    context.invalidateSession();

    HttpServletRequest request = (HttpServletRequest) context.getRequest();

     

    try{

    request.logout();

    HttpServletResponse response = (HttpServletResponse) context.getResponse();

    response.sendRedirect(redirect_URL_goes_here);

    }

    catch (ServletException e){

    // logging

    }

    catch (IOException e){

    // logging

    }

     

    return "index?faces-redirect=true";

    }

    Updated on 2014-01-03T22:49:45Z at 2014-01-03T22:49:45Z by JoshR
  • Nisreen123
    Nisreen123
    34 Posts
    ACCEPTED ANSWER

    Re: WebSEAL - WAS 7 - TAI++ Session Invalidation Problem

    ‏2014-01-05T12:05:18Z  in response to Vivekanandsk

    make sure that you delete all cookies at the logout,html page found in webSeal 

    HTML>
    <HEAD>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </HEAD>
    <BODY>
    <script type="text/javascript">
    var warningString = "WARNING: To maintain your login session, make sure that your browser is configured to accept Cookies.";
    document.cookie = 'acceptsCookies=yes';
    if(document.cookie == '') {
        document.write(warningString);
    } else {
        // Cookie Crumbler
        var strSeparator1 = " ";
        var strSeparator2 = "=";
        var strCookie = document.cookie;
        var strCookieName = null;
        var intCount;
        var intStart = 0;
        var intEnd = 0;
        
        for (intCount = 1; intCount < strCookie.length; intCount++) {
            if (strCookie.charAt(intCount) == strSeparator2) {
                intEnd = intCount;
                strCookieName = strCookie.substring(intStart, intEnd);
                document.cookie = strCookieName + "=yes; expire=Fri, 13-Apr-1970 00:00:00 GMT";
                strCookieName = null;
            }
            if (strCookie.charAt(intCount) == strSeparator1) {
                intStart = intCount + 1;
            }
        }
     
    window.location = "Your redirect URL";
    </script>
    </BODY>
    </HTML>