2 Replies Latest reply on Mar 28, 2008 7:55 AM by ryandavid

basic authentication cached credential without invalidate se

ryandavid Mar 27, 2008 12:03 PM

Hello to everybody,
I am using JBoss with basic authentication and I am seeing a strange behaviour.

At the front of JBoss I have a single sign-on system that unifies the login of the user but unfortunately it doesn't clear any session cookie when the user makes logout.

So with JBoss 4.0.2, I saw the following behaviour:

1. I authenticate myself as user1 and I see the page (of a web-app) with my data

2. I make logout (the session cookies are kept)

3. I authenticate myself as user2 and I see the page (of a web-app) with my data

4. I make logout (the session cookies are kept)

5. I authenticate myself again as user3 and I see the page (of a web-app) data of user2 !

It seems as JBoss at the second time keeps the previuos authentication because it sees some session cookie.

This behaviour doesn't appear with JBoss 3.2.3

1. Re: basic authentication cached credential without invalidat

ryandavid Mar 28, 2008 6:50 AM (in response to ryandavid)

I saw the same behaviour also with JBoss 4.0.3SP1
Actions
2. Re: basic authentication cached credential without invalidat

ryandavid Mar 28, 2008 7:55 AM (in response to ryandavid)

Also with JBoss 4.2.2 there is the same behaviour.

I tried also setting DefaultCacheTimeout to 0 in jboss-service.xml but I got the same result.

Viceversa under JBoss 3.2.3 the test is ok.
Actions

Go to original post