Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

In Authoring environment, how to clear HTTPSession when user logs out

ansrk
Level 2
Level 2

In the Authoring environment, we noticed that after user logs out by clicking the "Sign Out" button (/system/sling/logout.html) then still the HTTPSession is not cleared, and the JSESSIONID cookie value is also not cleared nor changed. 

 

We are using HTTPSession to store sensitive user information, and want to clear them when the user logs out. 

 

What would be the ideal way to clear the HTTPSession data when user logs-out?

 

Thanks.

0 Replies
kchaurasiya
Level 6
Level 6

@ansrk : Are you using the SSO on the author environment..? Did you try to logout from the crx/de. Check this once and see whether HTTPSession is there or not.

 

Thank You.

Keshav

ansrk
Level 2
Level 2

@kchaurasiya: We tried logging out from the crx/de and the behavior is same, the HTTPSession is not cleared. 

 

Thanks.

kchaurasiya
Level 6
Level 6

@ansrk : Can you try this with the IP address instead of the host name and open it on the crx/packmgr interface. In our application we use the SSO so generally it is not logout so we try to use the IP address instead of host name and open it on the crx/packmgr, As crx/de does not work here. Just check and try.

 

Thank You.

Keshav 

Asutosh_Jena_
Community Advisor
Community Advisor

Hi @ansrk 

 

You are storing some user information data on HTTPSession using a custom implementation.

I will think of handling the HTTPSession data with a custom event i.e., when user clicks on "Sign Out", capture the event and then trigger a servlet or service call which will invalidate the HTTPSession by using invalidate() and will clear out the PII data.

 

Thanks!

ansrk
Level 2
Level 2

@Asutosh_Jena_ We would like to avoid client script, otherwise we might need to load that JavaScript in all pages, including foundation pages etc. Preferably, we would like to use only the server-side options, like a filter or custom handle to accomplish this task. 

Can you please provide any reference, or possible ways to look into this, so that we could invalidate the session whenever a user logouts. 

 

Thanks.