Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout

Question

I have implemented a login-logout system with Spring Security 3.0.2, everything is fine but for this one thing: after I added a session-management tag with invalid-session-url attribute, on logout Spring would always redirect me on the invalid-session-url instead of the logout-success-url (which it correctly did before).

Is there a way to avoid this behaviour?

This is my configuration:

<http use-expressions="true" auto-config="true">
        [...some intercept-url's...]

    <form-login login-page="/login" authentication-failure-url="/login?error=true"
            login-processing-url="/login-submit" default-target-url="/home"
            always-use-default-target="true" />

    <logout logout-success-url="/home?logout=true" logout-url="/login-logout" />

    <session-management invalid-session-url="/home?invalid=true" />
</http>

Thanks a lot.

I have the same problem. Do You solve this ? – marioosh Nov 14 '11 at 21:39 — marioosh, Nov 14 '11 at 21:39

Christopher Yang · Answer 1 · 2013-01-03T01:00:37.003

9

By default, the logout process will first invalidate the session, hence triggering the session management to redirect to the invalid session page. By specifying invalidate-session="false" will fix this behavior.

<sec:logout logout-success-url="/logout" invalidate-session="false" 
delete-cookies="JSESSIONID" />

edited Jan 03 '13 at 01:00

answered Jan 03 '13 at 00:51

Christopher Yang

3,769
4
30
27

Then how do we `invalidate` the `session`. – Jop.pop Aug 20 '15 at 23:43
1

Adding the `delete-cookies="JSESSIONID"` should be enough – Jim Richards Jun 15 '16 at 11:25
It is interesting, on my local it works with `invalidate-session="true"` but not while deployed to the prod server, that's why I was confused. Anyways this solution now works on both. – Somebody May 13 '20 at 16:49

score 3 · Answer 2 · answered Jul 16 '10 at 19:05

Do not confuse the logout-url attribute in the logout tag with the invalid-session-url attribute from session-management.

The latter is the URL to execute the action of logging out while the former is the URL being forwarded to upon a logout action.

To put it in other words, when creating a logout button, the URL for that button would be the logout-url value. Now when the logout is done, spring security, be default, will render the main application's root app path, i.e.: http://yourserver:yourport/yourwebapp/. This path is overridden by invalid-session-url. So upon logout, you will be forwarded there.

To sum up, if you don't want the behavior you're asking for, then do not use invalid-session-url attribute. Hope that helps.

`invalidate-session="true"`: use `invalid-session-url`. `invalidate-session="false"`: use logout success handler url. See: [Christopher's answer](http://stackoverflow.com/a/14131584/606662) — Markus Pscheidt, Apr 20 '17 at 07:35
The requester is not talking about the `logout-url`, but rather about the `logout-success-url`, which may be somewhat hidden by the session management. — Mauro Molinari, May 03 '22 at 18:10

Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout

2 Answers2

Linked