Avoid the execution of HttpServletRequest.logout() in unprotected URLs

Solution Unverified - Updated -

Issue

  • After doing several logins and logouts in the same browser but using different tabs and applications a logout request does not work as expected (the SSO session remains).

  • In a Java adapter, executing HttpServletRequest.logout() to perform a SSO logout fails following these steps:

    1. Open a window in the browser.
    2. Execute the login operation in application 1.
    3. Open another window in the same browser.
    4. Perform the login in application 2.
    5. Execute the logout operation of the application 2.
    6. Execute the login operation of the application 2 in the same window.
    7. Go back to the previous window (application 1).
    8. Execute the logout operation (application 1).

    The last logout does not work and the session remains active at SSO level.

Environment

  • Red Hat Single Sig-On (RH-SSO)
    • 7
  • OpenID Connect adapters

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In