Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-874: Delete Single Sign-On LTPA cookies on logout #1129

Closed
spring-issuemaster opened this issue Jun 7, 2008 · 4 comments
Closed

SEC-874: Delete Single Sign-On LTPA cookies on logout #1129

spring-issuemaster opened this issue Jun 7, 2008 · 4 comments

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Jun 7, 2008

from SEC-874) said:

When a WebSphere application server is configured for Single Sign-on using LTPA tokens, authentication tokens are stored on the browser as cookies. These tokens need to be removed to completely in order to fully log out the user. I have gone into a little more detail here: http://blog.restafarian.org/?p=110 … I have created a patch that modifies the SecurityContextLogoutHandler so that it removes these cookies, which I could attach here, although I don’t see a way to do that at the moment … it’s a pretty small patch, so I could just paste it into this textbox, although that doesn’t really seem to be the most appropriate way to do that. Still, I don’t see any way to do a file attachment, so here goes …

  1. Index: C:/research/spring-security/src/main/java/org/springframework/security/ui/logout/SecurityContextLogoutHandler.java
C:/research/spring-security/src/main/java/org/springframework/security/ui/logout/SecurityContextLogoutHandler.java (revision 3133)

+ C:/research/spring-security/src/main/java/org/springframework/security/ui/logout/SecurityContextLogoutHandler.java (working copy)
@ -20,6 +20,7 @
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.util.Assert;

+import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
@ -37,6 +38,8 @
//~ Methods ========================

```
private boolean invalidateHttpSession = true;
```
- private boolean deleteSecurityCookies = false;
- private String securityCookieNameStartsWith = “LtpaToken”;

/** - Requires the request to be passed in. @ -54,6 +57,18 @ } }

- ```
if (deleteSecurityCookies) {
```
- Assert.notNull(response, “HttpServletResponse required when deleteSecurityCookiess = true”);
- Cookie[] cookies = request.getCookies();
- for (int i = 0; i < cookies.length; i++) {
- if (cookies[i].getName().startsWith(securityCookieNameStartsWith)) {
- cookies[i].setMaxAge(0);
- cookies[i].setPath(“/”);
- response.addCookie(cookies[i]);
- }
- }
- }
+
SecurityContextHolder.clearContext();
}

@ -69,6 +84,33 @
*/
public void setInvalidateHttpSession(boolean invalidateHttpSession) {
this.invalidateHttpSession = invalidateHttpSession;
- }
+
- public boolean isDeleteSecurityCookies() {
- ```
return deleteSecurityCookies;
```

}

- /*
- \
Causes the deletion of all browser cookies whose name starts with the value specified in securityCookieNameStartsWith. Defaults to false.
- *
- \* @param deleteSecurityCookies true if you wish the security cookies to be deleted or false (default) if they should
- \* not be.
- /
- public void setDeleteSecurityCookies(boolean deleteSecurityCookies) {
- this.deleteSecurityCookies = deleteSecurityCookies;
- }
+
- public String getSecurityCookieNameStartsWith() {
- return securityCookieNameStartsWith;
- }
+
- /
*
- \* Sets the starting name pattern for the security cookies to be deleted. Defaults to “LtpaToken”.
- *
- \* @param securityCookieNameStartsWith the starting name pattern for the security cookies to be deleted
- */
- public void setSecurityCookieNameStartsWith(String securityCookieNameStartsWith) {
- this.securityCookieNameStartsWith = securityCookieNameStartsWith;
- }
+
}

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jun 7, 2008

Restamon said:

Sorry about pasting this into the description of the issue earlier … it should have been an attachment, but I didn’t see that option when I was creating the issue.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jun 7, 2008

Luke Taylor said:

I’d suggest you implement this as a separate LogoutHandler instance than part of SecurityContextLogoutHandler. You would then add that to your LogoutFilter configuration. It’s pretty similar to the use of RememberMeServices as a LogoutHandler (which clears the remember-me cookie). Since this is also rather specific to an external SSO system, I don’t think it should go in the basic handler class.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jun 8, 2008

Restamon said:

Thanks. That was actually, my first approach, which seems to be working fine (I made a custom version and just put it in my own package) … I just thought I would try to make it a little bit more generic and throw it out here, just in case anyone else might have encountered the same issue.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Aug 3, 2008

Brett Delle Grazie said:

Hi, just an addendum to the solution proposed in case anyone picks this up via google or the release notes:

It is important that the user is signed out from the WebSphere SSO instead of just deleting the LPTA cookies – this prevents any
session hijacking attempts (v. difficult but not impossible if the SSO session is not closed). The same principle may
be applied for other SSO systems.

The information below assumes that the user is electing to sign-out completely from the SSO system and not just the
application they were just using.

In WebSphere SSO sign-out can be accomplished by a non-returning redirect to:
http://example.com/ibm_security_logout?logoutExitPage=http://example.com/loggedout.htm

This redirects to http://example.com/loggedout.htm once the SSO cookies have been deleted. It is possible to use relative
URLs here but the nuances are subtle – better to use full explicit URLs in this case.

I usually set the redirect URL of the logout handler bean to the above URL if a check box on the logout page is
set (i.e. sign me out completely check box). Thus effectively I’m chaining the logouts.

This way the normal logout handler closes the user’s session and the redirect above drops the LPTA SSO cookie(s).

If anyone knows of a better solution please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.