IBM Support

HttpSession.invalidate() in a logout operation does not force the user back to the login page to reauthenticate

Troubleshooting


Problem

You developed a Form Based Login application with Struts and are not able to logout of the application where you are redirected back to a Form Based Login page to reauthenticate. Entering protected URL's that required authentication did not require the user to login again. Previously viewed secure pages are still accessible

Cause

IBM WebSphere Application Server was setup to use the LTPA authentication mechanism with Single Sign on. The call to HTTPSession.invalidate() invalidated the session, but did not invalidate the LTPA token.

Resolving The Problem

  1. Use the logout feature in Application Server.

    Have your logout forward in your struts-config.xml point to "ibm_security_logout"

    Below is an example that causes a logout, and redirects to a new page called index.jsp.
    The user is sent to the login page
    <forward name="logout" path="ibm_security_logout?logoutExitPage=index.jsp" redirect="true
    contextRelative="false">

    More information on the logout feature for WebSphere is provided at:
    Example: Form Login
    http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_pofolo.html

  2. A program is to call

    WSSecurityHelper.revokeSSOCookies(request, response);
    The API is provided at:
    Class WSSecurityHelper
    http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SS7K4U_8.5.5/com.ibm.websphere.javadoc.doc/web/apidocs/com/ibm/websphere/security/WSSecurityHelper.html

    Example source can be found at:
    Using the Java Authentication and Authorization Service programming model for Web authentication

    http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_jaasauthentprog.html

[{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21254556

Page Feedback