We have an application deployed as an EAR file with 2 WAR files. We have turned on "single-sign-on" in the undertow subsystem for Wildfly 10.
When a user has logged into the application and has hit links from both WARs they have 3 session cookies assigned to them, one for each WAR and JSESSIONIDSSO.
When we go to logout, we invalidate one of the sessions from one of the WARs (with have tried both). The issue we are seeing is the session logout is not propagating to the other WAR session which seems to stay active forever. We have some events that get called when a session is destroyed and those are not getting called for the session that we didn't explicitly invalidate.
This seems to be a bug potentially related to this: [WFLY-5546] The flushOnSessionInvalidation is not parsed correctly from jboss-web.xml - JBoss Issue Tracker but I'm not sure.
Does anyone know of a work around for this?
There were several fixes around this topic in the past. Best would be if you could migrate on latest WF 15 and confirm you can see issue there as well.