Invalidating session on logout Bisexual c2c chat rooms

user is actually logged out of the system (as user is not allowed anymore to access protected resources) BUT when on the same browser window if you log in with different user, then still the session id seems to be the same, as of previous session.

invalidating session on logout-72

When I accessed the pages, I was presented with the console without prompting for username/password. Now, there is some window between the user clicking on the logout and the session invalidated on the server side due to timeout. This scenario leads to an extra time window which will help the other guy to use the stolen session and change the system.

Now talking about why it is important to invalidate the session once the user clicks on the logout button:1.

We would be calling a custom logout action first then clear out the cache and session data in this newly added action then will forward request to ibm_security_logout to finish rest of standard operation.

As per info center, when request is submitted to ibm_security_logout , it peforms following operation: a.

Now second user is getting application data which was stored for first user.

Although when user logs out of the same application from where he was logged in then session object is invalidated properly...

System is designed in such a way that every war application can be accesses independently.

Security configuration is provided in every war file.

It is causing serious issue in the application, as data stored in distributed cache of system, are now available to the second user.

(We are storing data in cache, where key is taken as 'sessionid key' in the application).

Now as user click on logout from this second war app2, request is submitted to 'ibm_security_logout' action.

Tags: , ,