9 Replies Latest reply on Nov 14, 2006 5:40 PM by Sohil Shah

    Logout Issue

    Nipun Batra Newbie

      Hi,

      I have 2 applications on 2 different servers, If I logout from one application and go to the other still I successfully login into other application.

      I think if I logout from fisrt application I shd not be able to login into second applications.


      the other problem is, now from second application if I go back to first application, I again get principal in first application request.getUserPrincipal(), everything runs ok again but the moment I put anything into session it throws exception saying that this session is already invalidated, whcih is true coz I inavildated the session when I logout from first application.

      is there anything we can do, I mean when i logout from any application i shd be logged out from all application?

      Thanks
      Nipun

        • 1. Re: Logout Issue
          Sohil Shah Master

          Nipun-

          What you are suggesting is correct and it should work.

          Let me run the Federated Logout usecase on my machine and make sure there is no SSO Logout related bug.


          btw- are the two applications in the same web domain?

          If you are invalidating your session on any of the applications, you should be logged out on all other applications automatically.

          Let me look into this.

          Thanks
          Sohil

          • 2. Re: Logout Issue
            Nipun Batra Newbie

            Hi

            Thanks for your response Sohil, really appreciate it.

            Yes both the applications are on same domain.

            Thanks again for your help

            Regards
            Nipun

            • 3. Re: Logout Issue
              Nipun Batra Newbie

              Hi Sohil


              I think I found the error, it was on my end. The logout url defined inside conext.xml was not correct. But again I think there is one thing..... on Application A I have to logout atleat 2 times, that is

              let say suppose I have logout URL as http://mydomain.com:8080/myapplication/logout.jsp and in logout.jsp I have to session.invalidate() method.

              I have to hit this url atleast 2 times if I want my partner application to also logout. i.e. after hitting this logout page twice if I go to my partner application my partner application will show SSO logout page and will logout. But if just say logout and go to my partner application it will still show me same user. OR may be I shd wait for some seconds before I go to my partner web app.

              Thanks again for your help

              Regards
              Nipun

              • 4. Re: Logout Issue
                Sohil Shah Master

                Nipun-

                Try waiting like 5 seconds to hit the next application. If that doesn't work, clear out your cookies (generated by these applications), restart the browser and run the scenario again.

                Let me know what you find out. And yes, logout url is important for SSO logout in context.xml.

                So-

                1/ Only single hit to the logout should be sufficient. If you consistently run into this issue of two logout hits, then this maybe a bug I need to look into. can you post your cookie list after hitting the logout just once .

                Thanks
                Sohil

                • 5. Re: Logout Issue
                  Nipun Batra Newbie

                  Hi Sohil

                  Thanks for your response

                  I cross checked it twice and started fresh after deleting all the cookies, here is what I found out about cookies

                  1) Application after I log in I can see one cookie for my domain "token"

                  2) Now from same browser I go to Applicatiob B, automatically gets log into the Application B and cookie is still "token" for my domain

                  3)I logout from application B and after that "token" cookie is deleted under the domain.

                  4)I go back to application A and again I automatically log in and this time I again see the "token" cookie for my domain

                  5)I go back to Application B and again I gets logged in automatically, token cookie is regenerated

                  Note: All above steps are done with 5 sec delay

                  Now

                  6) On Application B I logout (In logs I can see I am calling session.invalidate() and after that request.getuserprincipal becomes null),
                  After logging out,Now token cookie is deleted from browser. I again type the logout URL on browser for application B and send the page again to logout page i.e I did logout for 2 times


                  7) Now I go back to Application A and now I see 'SSO Logout...' message on screen, (I beleive that this message is internal as I am not printing it anywhere) and after that my logout page of application A is called.

                  So I am sure that I have to do logout twice and then only I log out from all partner applications.

                  Waiting for your response

                  Regards
                  Nipun

                  • 6. Re: Logout Issue
                    Sohil Shah Master

                    Looks like you are performing all the right steps. Not sure at this point what the issue could possibly be with two logouts....its the same logic executed on both cases.

                    Just to make sure your configuration is right. Is this the way its setup

                    1/ context.xml in application A points to the logout URL of application A and not of B

                    2/ context.xml in application B points to the logout URL of application B and not of A.

                    here is what my logout.jsp looks like in the demo app

                    <%@page contentType="text/html" language="java"%>
                    <%
                     response.setHeader("Cache-Control", "no-cache, must-revalidate");
                     response.setHeader("Pragma","no-cache");
                    %>
                    
                    <%
                     request.getSession().invalidate();
                     response.sendRedirect("index.jsp");
                    %>
                    
                    


                    btw- is there any way for you to capture the http traffic being sent to the web server when following these steps....this will give more visibility into the sequence of steps being performed

                    Thanks
                    Sohil

                    • 7. Re: Logout Issue
                      Sohil Shah Master

                      btw can you also confirm that in application B when you logout for the first time,

                      the request.getUserPrincipal is null just like second time you logout

                      • 8. Re: Logout Issue
                        Nipun Batra Newbie

                        Hi Sohil

                        Thanks for your response

                        yes context. xml is correct, Application A context.xml points to Application A logout page only.

                        Let me try to setheaders in my logout pages.

                        Regrding http traffice I believe I have tool to capture it or I will download it.

                        Let me try these two things quickly


                        Thanks again for your response
                        nipun

                        • 9. Re: Logout Issue
                          Sohil Shah Master

                          yeah firefox plugin has a way to capture live headers