In the Authoring environment, we noticed that after user logs out by clicking the "Sign Out" button (/system/sling/logout.html) then still the HTTPSession is not cleared, and the JSESSIONID cookie value is also not cleared nor changed.
We are using HTTPSession to store sensitive user information, and want to clear them when the user logs out.
What would be the ideal way to clear the HTTPSession data when user logs-out?
Thanks.
Solved! Go to Solution.
Views
Replies
Total Likes
@ansrk : Can you try this with the IP address instead of the host name and open it on the crx/packmgr interface. In our application we use the SSO so generally it is not logout so we try to use the IP address instead of host name and open it on the crx/packmgr, As crx/de does not work here. Just check and try.
Thank You.
Keshav
@ansrk : Are you using the SSO on the author environment..? Did you try to logout from the crx/de. Check this once and see whether HTTPSession is there or not.
Thank You.
Keshav
@kchaurasiya: We tried logging out from the crx/de and the behavior is same, the HTTPSession is not cleared.
Thanks.
@ansrk : Can you try this with the IP address instead of the host name and open it on the crx/packmgr interface. In our application we use the SSO so generally it is not logout so we try to use the IP address instead of host name and open it on the crx/packmgr, As crx/de does not work here. Just check and try.
Thank You.
Keshav
Hi @ansrk
You are storing some user information data on HTTPSession using a custom implementation.
I will think of handling the HTTPSession data with a custom event i.e., when user clicks on "Sign Out", capture the event and then trigger a servlet or service call which will invalidate the HTTPSession by using invalidate() and will clear out the PII data.
Thanks!
@Asutosh_Jena_ We would like to avoid client script, otherwise we might need to load that JavaScript in all pages, including foundation pages etc. Preferably, we would like to use only the server-side options, like a filter or custom handle to accomplish this task.
Can you please provide any reference, or possible ways to look into this, so that we could invalidate the session whenever a user logouts.
Thanks.
Views
Likes
Replies