IBM Support

PH48145: WEBSPHERE FORMLOGOUT DOES NOT INVOKE TAI LOGOUTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When an application redirects a request to
    ibm_security_logout, the TAI logouts are not invoked.  This can
    result in a user still being logged in with a TAI.
    
    When an application invokes HttpServeletRequest.logout(), the
    TAI logouts are performed.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: WebSphere form logout does not invoke   *
    *                      the                                     *
    *                      TAI logouts.                            *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    When an application redirects a request to ibm_security_logout,
    the TAI logouts are not performed.  This can result in cookies
    and
    cache entries that are not deleted and a TAI may think that a
    user
    is still logged in.
    

Problem conclusion

  • The WebSphere ibm_security_logout method is updated to perform
    the TAI logouts.
    
    If a TAI commits the response, for instance, to redirect to an
    external server for logout, the form logout does not redirect to
    the URL specified on the logoutExitPage parameter of the
    ibm_security_logout request.  Example:
    
    ibm_security_logout?logoutExitPage=logon.jsp
    
    The fix for this APAR is targeted for inclusion in fix packs
    8.5.5.23 and 9.0.5.14. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH48145

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2022-07-20

  • Closed date

    2022-08-05

  • Last modified date

    2022-08-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
06 August 2022