• 4 replies
  • Latest Post - ‏2014-01-05T12:05:18Z by Nisreen123
1 Post

Pinned topic WebSEAL - WAS 7 - TAI++ Session Invalidation Problem

‏2013-03-12T17:50:00Z |
I have a web app deployed on WAS 7 behind TAM WebSEAL 6.1, uses TAI, LTPA2 single sign-on
User login and SSO is working perfectly.
At logout, "HTTPSession.invalidate()" is invoked and "https://<webseal url>/pkmslogout" is called.
Problem is:
After logout, WebSEAL session seems to clear, but the WebSphere JSESSIONID cookies stays. Also the session cache on the WAS has the old user information when logged in with new user.

Does anyone know, If I'm doing correct logout implementation?
Is there any other configuration in SSO settings that protects this session cache to be deleted when session is invalidated?

Thank you.
  • rochbu
    1 Post

    Re: WebSEAL - WAS 7 - TAI++ Session Invalidation Problem


    I'd be interested in any resolution to this issue. We have the same scenario.





  • Raj A
    Raj A
    3 Posts

    Re: WebSEAL - WAS 7 - TAI++ Session Invalidation Problem


    Do something like this in the logout.html on webseal:

    function deleteCookie(name,path,domain)

        // Set expiration date to last year
        var edate = new Date();
        edate.setYear(edate.getYear() -1);
        var eDateStr = edate.toGMTString();
        // expire the cookie
        var cookieStr = name+"=;expires=" + eDateStr;
            cookieStr+=";path=" + path;
            cookieStr+=";domain=" + domain;
     and load in on the body

    <body onLoad="deleteCookie('JSESSIONID','/',null);setTimeout('delayer()', 5)">

  • JoshR
    1 Post

    Re: WebSEAL - WAS 7 - TAI++ Session Invalidation Problem


    Was the suggested approach useful? 


    I have similar setup; however, I'm using a junction with forms-based authentication.  I need to ensure that the application returns to the login form after a logout button is clicked for another user to provide credentials.  I am trying to do this with a logout method in a Managed Bean on the server (see below).  I am receiving a 404 Error with this code.  Is this a Webseal configuration problem?  Will the attempt to invalidate the session from the server work?


    public String logout(){


    Log.logInfo("AUDIT", String.format("Logout called -- invalidate user session"));


    ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();


    HttpServletRequest request = (HttpServletRequest) context.getRequest();




    HttpServletResponse response = (HttpServletResponse) context.getResponse();



    catch (ServletException e){

    // logging


    catch (IOException e){

    // logging



    return "index?faces-redirect=true";


    Updated on 2014-01-03T22:49:45Z at 2014-01-03T22:49:45Z by JoshR
  • Nisreen123
    52 Posts

    Re: WebSEAL - WAS 7 - TAI++ Session Invalidation Problem


    make sure that you delete all cookies at the logout,html page found in webSeal 

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <script type="text/javascript">
    var warningString = "WARNING: To maintain your login session, make sure that your browser is configured to accept Cookies.";
    document.cookie = 'acceptsCookies=yes';
    if(document.cookie == '') {
    } else {
        // Cookie Crumbler
        var strSeparator1 = " ";
        var strSeparator2 = "=";
        var strCookie = document.cookie;
        var strCookieName = null;
        var intCount;
        var intStart = 0;
        var intEnd = 0;
        for (intCount = 1; intCount < strCookie.length; intCount++) {
            if (strCookie.charAt(intCount) == strSeparator2) {
                intEnd = intCount;
                strCookieName = strCookie.substring(intStart, intEnd);
                document.cookie = strCookieName + "=yes; expire=Fri, 13-Apr-1970 00:00:00 GMT";
                strCookieName = null;
            if (strCookie.charAt(intCount) == strSeparator1) {
                intStart = intCount + 1;
    window.location = "Your redirect URL";