In Authoring environment, how to clear HTTPSession when user logs out | Community
Skip to main content
A
ansrk
Level 2
August 10, 2021
Solved

In Authoring environment, how to clear HTTPSession when user logs out

  • August 10, 2021
  • 2 replies
  • 1479 views

In the Authoring environment, we noticed that after user logs out by clicking the "Sign Out" button (/system/sling/logout.html) then still the HTTPSession is not cleared, and the JSESSIONID cookie value is also not cleared nor changed. 

 

We are using HTTPSession to store sensitive user information, and want to clear them when the user logs out. 

 

What would be the ideal way to clear the HTTPSession data when user logs-out?

 

Thanks.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by kchaurasiya

@ansrk : Can you try this with the IP address instead of the host name and open it on the crx/packmgr interface. In our application we use the SSO so generally it is not logout so we try to use the IP address instead of host name and open it on the crx/packmgr, As crx/de does not work here. Just check and try.

 

Thank You.

Keshav 

2 replies

kchaurasiya
kchaurasiya
Level 5
August 10, 2021

@ansrk : Are you using the SSO on the author environment..? Did you try to logout from the crx/de. Check this once and see whether HTTPSession is there or not.

 

Thank You.

Keshav

    A
    ansrkAuthor
    Level 2
    August 10, 2021

    @kchaurasiya: We tried logging out from the crx/de and the behavior is same, the HTTPSession is not cleared. 

     

    Thanks.

      kchaurasiya
      kchaurasiyaAccepted solution
      Level 5
      August 10, 2021

      @ansrk : Can you try this with the IP address instead of the host name and open it on the crx/packmgr interface. In our application we use the SSO so generally it is not logout so we try to use the IP address instead of host name and open it on the crx/packmgr, As crx/de does not work here. Just check and try.

       

      Thank You.

      Keshav 

        Asutosh_Jena_
        Community Advisor
        Asutosh_Jena_Community Advisor
        Community Advisor
        August 10, 2021

        Hi @ansrk 

         

        You are storing some user information data on HTTPSession using a custom implementation.

        I will think of handling the HTTPSession data with a custom event i.e., when user clicks on "Sign Out", capture the event and then trigger a servlet or service call which will invalidate the HTTPSession by using invalidate() and will clear out the PII data.

         

        Thanks!

          A
          ansrkAuthor
          Level 2
          August 11, 2021

          @asutosh_jena_ We would like to avoid client script, otherwise we might need to load that JavaScript in all pages, including foundation pages etc. Preferably, we would like to use only the server-side options, like a filter or custom handle to accomplish this task. 

          Can you please provide any reference, or possible ways to look into this, so that we could invalidate the session whenever a user logouts. 

           

          Thanks.

            Terms & ConditionsAccessibility statement

            Loading footer...