FORM-Based authentication -- Issue in Invalidating HttpSessionObject - Websphere

This is a discussion on FORM-Based authentication -- Issue in Invalidating HttpSessionObject - Websphere ; Hi All, I have implemented FORM-Based authentication in our application. We are having multiple war file and each war file is deployed individually that means all war file are not packaged in a single EAR package. System is designed in ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: FORM-Based authentication -- Issue in Invalidating HttpSessionObject

  1. FORM-Based authentication -- Issue in Invalidating HttpSessionObject

    Hi All,

    I have implemented FORM-Based authentication in our application. We are having multiple war file and each war file is deployed individually that means all war file are not packaged in a single EAR package. System is designed in such a way that every war application can be accesses independently. Security configuration is provided in every war file. Thus once you are authenticated you are allowed to access all war application, without further authentication need.

    There is one severe issue we are facing, when user logs into the system (say using war app A1), then user navigates to other application (say war app A2). Now as user click on logout from this second war app2, request is submitted to 'ibm_security_logout' action. As per the documentation it invalidates the HttpSession, but in above scenario user clicks on logout.. user is actually logged out of the system (as user is not allowed anymore to access protected resources) BUT when on the same browser window if you log in with different user, then still the session id seems to be the same, as of previous session. That means previously created HttpSession object is not being destroyed properly by ibm_security_logout servlet.

    It is causing serious issue in the application, as data stored in distributed cache of system, are now available to the second user. (We are storing data in cache, where key is taken as 'sessionid+key' in the application). Now second user is getting application data which was stored for first user.

    Although when user logs out of the same application from where he was logged in then session object is invalidated properly... that means user tried accessing resource of WAR A1, then asked for credential, then he tried to logout of the system from this A1 war only.

    It seems to be a serious issue for me as of now.. Is Websphere Security designed in this way only (what people call it FAD ).. or is it a BUG in Websphere..?

    Any help in this regards would be highly appreciable.

    Thanks,
    Gaurav Daga
    Gaurav.Daga@in.ibm.com

  2. Re: FORM-Based authentication -- Issue in Invalidating HttpSessionObject

    Gaurav,

    Did you call HttpSession's invalidate?

    Here's a struts based example:
    http://www-01.ibm.com/support/docvie...id=swg21114756

    You need to do that before you forward to ibm_security_logout

    thanks,
    dims

+ Reply to Thread