Results 1 to 5 of 5

Thread: delete-cookies don't delete LtpaToken

  1. Jul 1st, 2012, 09:07 AM #1
    fsteccanella
    fsteccanella is offline Junior Member
    Join Date
    Apr 2012
    Posts
    13

    Question delete-cookies don't delete LtpaToken

    Hi there,
    I'm developing a web application that use a PreAuthenticationFilter for using IBM LtpaToken for loggin in..
    I'd like to delete the token when the user logout, but I can't...

    My logout filter is configured like this:
    Code:
    <security:logout logout-url="/auth/logout" invalidate-session="true" logout-success-url="/auth/login"  delete-cookies="LtpaToken"/>
    how can i do?!
    Thanks in advance
    Reply With Quote Reply With Quote
  2. Jul 2nd, 2012, 01:49 PM #2
    jamescox
    jamescox is offline Junior Member
    Join Date
    Jun 2010
    Posts
    10

    Default

    I don't think you want to just delete the ltpa token. Websphere is managing this cookie, you should not be. I would guess that the App Server is calling set-cookie after you try to delete it, but you would have to look at the responses in Firebug to confirm this.

    LTPA is for SSO. Do you have multiple web applications? If not, consider something simpler. If you do have multiple web apps, you need to understand that clearing the LTPA token ends your SSO session, which is not equivalent to your HTTP Session. (You could have many httpsessions, but only one SSO session). Ending your SSO Session should result in you becoming unauthenticated in ALL of your web applications. If this is truly what you want, you will need to read some IBM documentation. on how to do this.

    Also, you can probably use J2eePreAuthenticatedProcessingFilter directly as Websphere should be injecting the userPrincipal.
    Reply With Quote Reply With Quote
  3. Jul 2nd, 2012, 02:15 PM #3
    fsteccanella
    fsteccanella is offline Junior Member
    Join Date
    Apr 2012
    Posts
    13

    Default

    Thanks for the anwser james..
    I too thought it was the app server, but it doesn't seems to me...
    However i have to delete the cookie, because, as PreAuthFilter, it is fired on every secured pattern,so i can't fully log out!!!
    I don't mind if i destroy the sso session (not completely true, because there is also the LtpaToken2 that i ignore in spring..)
    Reply With Quote Reply With Quote
  4. Jul 3rd, 2012, 09:23 AM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    Does it happen in every browser? Can you use something like Tamper Data to see if it is trying to delete the cookie properly?
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
  5. Jul 3rd, 2012, 10:28 AM #5
    fsteccanella
    fsteccanella is offline Junior Member
    Join Date
    Apr 2012
    Posts
    13

    Default

    Yes, in every browser...
    I've checked with cookie manager the creation date and it doesn't change, so the cookie isn't deleted and recreated...

    Can the problem occurs because of the domain?!
    LtpaToken has domain .company.com...my app instead create it's remember-me cookie under app.company.com...
    Maybe I can't delete domain-wide cookie?!
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules