Announcement Announcement Module
Collapse
No announcement yet.
Delete cookies used by HTTPSessionContextIntegrationFilter Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Delete cookies used by HTTPSessionContextIntegrationFilter

    Hi,
    I have the following problem.

    I have a webapplication 'A' from which I launch another webapplication 'B' using SSO.

    1. Login to A as u1.
    2. Click on URL of 'B'.
    3. 'B' webapp launches using SSO as u1.
    4. Close the browser window/tab of 'B' without logging out.
    5. Logout of A.
    6. Login to A as u2.
    7. Click on URL of 'B'.

    Expected behaviour
    8. 'B' webapp launches using SSO as u2.

    Current behaviour
    8. 'B' webapp launches using SSO as u1.

    In the FilterChainProxy filter chain of B, I have the httpsessioncontextintegrationfilter first and then the auth filters for SSO.

    For the second login, it is not coming to the auth filters, but getting the auth credentials from somewhere inside httpsessioncontextintegrationfilter and it recognizes it as a valid auth token and logs in as u1. I probably have to clean up the cookie state in httpsessioncontextintegrationfilter when the window/tab is closed. Some cleanup happens in logout of 'B', but I don't have acces to 'B' source code.

    Is there any way I can do a cookie cleanup when the browser is closed or when the second login happens or is there some other way to solve this problem?

  • #2
    Originally posted by shawshank View Post
    Is there any way I can do a cookie cleanup when the browser is closed or when the second login happens or is there some other way to solve this problem?
    You could potentially add some javascript to do the logout for you when you leave B, but that is unreliable at best. Typically one would use Single Logout to indicate to B that the user logged out of A. A simplified and NOT SECURE example of logging in would be to send the user to http://webappb?login=u1 and then to logout you would send a request to http://webappb?logout=u1. There are of course a lot of problems with this simplified example, but it should get the idea across. More realistically I would recommend you checkout a standard SSO protocol like CAS or SAML that already supports single logout in a secure fashion.

    Comment

    Working...
    X