Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-874: Delete Single Sign-On LTPA cookies on logout #1129
from SEC-874) said:
When a WebSphere application server is configured for Single Sign-on using LTPA tokens, authentication tokens are stored on the browser as cookies. These tokens need to be removed to completely in order to fully log out the user. I have gone into a little more detail here: http://blog.restafarian.org/?p=110 … I have created a patch that modifies the SecurityContextLogoutHandler so that it removes these cookies, which I could attach here, although I don’t see a way to do that at the moment … it’s a pretty small patch, so I could just paste it into this textbox, although that doesn’t really seem to be the most appropriate way to do that. Still, I don’t see any way to do a file attachment, so here goes …
C:/research/spring-security/src/main/java/org/springframework/security/ui/logout/SecurityContextLogoutHandler.java (working copy)
Luke Taylor said:
I’d suggest you implement this as a separate LogoutHandler instance than part of SecurityContextLogoutHandler. You would then add that to your LogoutFilter configuration. It’s pretty similar to the use of RememberMeServices as a LogoutHandler (which clears the remember-me cookie). Since this is also rather specific to an external SSO system, I don’t think it should go in the basic handler class.
Thanks. That was actually, my first approach, which seems to be working fine (I made a custom version and just put it in my own package) … I just thought I would try to make it a little bit more generic and throw it out here, just in case anyone else might have encountered the same issue.
Brett Delle Grazie said:
Hi, just an addendum to the solution proposed in case anyone picks this up via google or the release notes:
It is important that the user is signed out from the WebSphere SSO instead of just deleting the LPTA cookies – this prevents any
The information below assumes that the user is electing to sign-out completely from the SSO system and not just the
In WebSphere SSO sign-out can be accomplished by a non-returning redirect to:
This redirects to http://example.com/loggedout.htm once the SSO cookies have been deleted. It is possible to use relative
I usually set the redirect URL of the logout handler bean to the above URL if a check box on the logout page is
This way the normal logout handler closes the user’s session and the redirect above drops the LPTA SSO cookie(s).
If anyone knows of a better solution please let me know.