In the Authoring environment, we noticed that after user logs out by clicking the "Sign Out" button (/system/sling/logout.html) then still the HTTPSession is not cleared, and the JSESSIONID cookie value is also not cleared nor changed.
We are using HTTPSession to store sensitive user information, and want to clear them when the user logs out.
What would be the ideal way to clear the HTTPSession data when user logs-out?
@ansrk : Can you try this with the IP address instead of the host name and open it on the crx/packmgr interface. In our application we use the SSO so generally it is not logout so we try to use the IP address instead of host name and open it on the crx/packmgr, As crx/de does not work here. Just check and try.
You are storing some user information data on HTTPSession using a custom implementation.
I will think of handling the HTTPSession data with a custom event i.e., when user clicks on "Sign Out", capture the event and then trigger a servlet or service call which will invalidate the HTTPSession by using invalidate() and will clear out the PII data.
Can you please provide any reference, or possible ways to look into this, so that we could invalidate the session whenever a user logouts.