2

I am using another webpage that passes the user authentication( AD login ) to WebSphere by URL. When I am logging out I am redirecting towards the log-in page and is already logged in since my session is never closed. I tried a few things to disable the cookie with WebSphere but nothing worked. Is there an easy way to delete the cookies with a java code when I press the log out button? Any help is very appreciated.

Gas
  • 17,601
  • 4
  • 46
  • 93
Dusty
  • 129
  • 1
  • 7
  • 18

1 Answers1

3

If you are using WebSphere 8.x you should use servlet 3.0 api and the request.logout() method, before you are doing redirection to the logout page. This method will remove session and authentication cookies.

For older WebSphere versions/ servlet api use the following (deprecated in WAS v8):

try {
    WSSecurityHelper.revokeSSOCookies(req, res);
    } catch(Exception e) {
    ...
}

UPDATE
For v7 I'd recommend form-logout. If you want to logout form application you create the following logout form, or create custom post to the ibm_security_logout you can use logoutExitPage to redirect to desired page after logout:

<h2>Sample Form Logout</h2>
<FORM METHOD=POST ACTION="ibm_security_logout" NAME="logout">
    <input type="submit" name="logout" value="Logout">
    <INPUT TYPE="HIDDEN" name="logoutExitPage" VALUE="/login.html">
</form>

For more details see Customizing login/logout

If you cannot use this form logout then use the WSSecurityHelper.revokeSSOCookies(req, res) as shown above in your servlet.

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Is there any extra class that I have to add to WebSphere or to change any security parameters? I am using version 7.X – Dusty Dec 15 '14 at 04:39
  • 1
    @Dusty I've updated answer. I don't exactly understand what you mean by extra class or security params. In general you should have Application security turned on in WebSphere, and be using form-login so the LTPA cookie is created. If you are using HTTP Basic authentication, there is no way to logout without closing the browser, as user credentials are stored in headers and resent on every request. – Gas Dec 15 '14 at 10:50
  • What about websphere 9? I tried both of your ideas, neither worked. ALso what is this logout page you refer to? – john k Aug 06 '20 at 21:23
  • @johnktejik please create separate question with detailed description of your problem. Both of these solution work in v9, so you have to describe what is not working for you and what are you doing. – Gas Aug 07 '20 at 07:23