Expand my Community achievements bar.

SOLVED

In Authoring environment, how to clear HTTPSession when user logs out

Avatar

Level 2
Level 2
8/9/21 11:49:09 PM

In the Authoring environment, we noticed that after user logs out by clicking the "Sign Out" button (/system/sling/logout.html) then still the HTTPSession is not cleared, and the JSESSIONID cookie value is also not cleared nor changed. 

 

We are using HTTPSession to store sensitive user information, and want to clear them when the user logs out. 

 

What would be the ideal way to clear the HTTPSession data when user logs-out?

 

Thanks.

Views

679

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 6
Level 6
8/10/21 7:50:52 AM
In response to ansrk

@ansrk : Can you try this with the IP address instead of the host name and open it on the crx/packmgr interface. In our application we use the SSO so generally it is not logout so we try to use the IP address instead of host name and open it on the crx/packmgr, As crx/de does not work here. Just check and try.

 

Thank You.

Keshav 

View solution in original post

Views

648

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Level 6
Level 6
8/9/21 11:59:32 PM

@ansrk : Are you using the SSO on the author environment..? Did you try to logout from the crx/de. Check this once and see whether HTTPSession is there or not.

 

Thank You.

Keshav

Views

669

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/10/21 7:33:22 AM
In response to kchaurasiya

@kchaurasiya: We tried logging out from the crx/de and the behavior is same, the HTTPSession is not cleared. 

 

Thanks.

Views

650

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 6
Level 6
8/10/21 7:50:52 AM
In response to ansrk

@ansrk : Can you try this with the IP address instead of the host name and open it on the crx/packmgr interface. In our application we use the SSO so generally it is not logout so we try to use the IP address instead of host name and open it on the crx/packmgr, As crx/de does not work here. Just check and try.

 

Thank You.

Keshav 

Views

649

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
8/10/21 12:23:23 AM

Hi @ansrk 

 

You are storing some user information data on HTTPSession using a custom implementation.

I will think of handling the HTTPSession data with a custom event i.e., when user clicks on "Sign Out", capture the event and then trigger a servlet or service call which will invalidate the HTTPSession by using invalidate() and will clear out the PII data.

 

Thanks!

Views

661

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/10/21 8:35:03 PM
In response to Asutosh_Jena_

@Asutosh_Jena_ We would like to avoid client script, otherwise we might need to load that JavaScript in all pages, including foundation pages etc. Preferably, we would like to use only the server-side options, like a filter or custom handle to accomplish this task. 

Can you please provide any reference, or possible ways to look into this, so that we could invalidate the session whenever a user logouts. 

 

Thanks.

Views

643

Replies

0
Sign in to like this content

Total Likes

Translate
Translate