2 Replies Latest reply on Mar 28, 2008 7:55 AM by David Visicchio

    basic authentication cached credential without invalidate se

    David Visicchio Newbie

      Hello to everybody,
      I am using JBoss with basic authentication and I am seeing a strange behaviour.

      At the front of JBoss I have a single sign-on system that unifies the login of the user but unfortunately it doesn't clear any session cookie when the user makes logout.

      So with JBoss 4.0.2, I saw the following behaviour:

      1. I authenticate myself as user1 and I see the page (of a web-app) with my data

      2. I make logout (the session cookies are kept)

      3. I authenticate myself as user2 and I see the page (of a web-app) with my data

      4. I make logout (the session cookies are kept)

      5. I authenticate myself again as user3 and I see the page (of a web-app) data of user2 !

      It seems as JBoss at the second time keeps the previuos authentication because it sees some session cookie.

      This behaviour doesn't appear with JBoss 3.2.3