Avoid the execution of HttpServletRequest.logout() in unprotected URLs
Issue
-
After doing several logins and logouts in the same browser but using different tabs and applications a logout request does not work as expected (the SSO session remains).
-
In a Java adapter, executing
HttpServletRequest.logout()
to perform a SSO logout fails following these steps:- Open a window in the browser.
- Execute the login operation in application 1.
- Open another window in the same browser.
- Perform the login in application 2.
- Execute the logout operation of the application 2.
- Execute the login operation of the application 2 in the same window.
- Go back to the previous window (application 1).
- Execute the logout operation (application 1).
The last logout does not work and the session remains active at SSO level.
Environment
- Red Hat Single Sig-On (RH-SSO)
- 7
- OpenID Connect adapters
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.