We are having trouble with logging out with SSO turned on - the users have to
click logout twice in order for the SSO session to be destroyed and therefore
properly logged out.
We are using FORM authentication - this all works great and once the user is
logged in once they are logged into all applications.
From what I can tell, logout should be a simple process of calling
HttpSession.invalidate(). This should instruct GlassFish to destroy the SSO
session and cause the user to go to the login page when they next access
protected content. However when the session is invalidated they are still
logged in and can access the content. If logout is called again (and
another new session therefore invalidated) then the user is then logged out
properly.
What is the correct way to perform a logout? I have tried various ways to
invalidate the session, such as a servlet and a jsp, both in a protected area
and outside, without any success. Upon next access the
com.sum.web.security.RealmAdapter creates a new session and the user
principal is always set.
Thanks,
Peter.
--
[Message sent by forum member 'teagtera']
View Post: http://forums.java.net/node/801805