I've been working on securing a web application that I've been working on and I've run into some difficulties. This is the first time I've ever been involved with securing a web application so this is all pretty much new ground for me. Just as a side note, I'm using WebSphere 5.1 as an app server.
Well, I've gotten almost everything squared away except for one thing. When a user descides to log out, I go ahead and invalidate their session. However, in order for WAS to see that user as "unauthenticated" again, I need to force the LtpaToken cookie to expire. Unfortunately, I can't seem to get that to work.
I've tried using this code in my logout procedure:
But that hasn't seemed to work at all. The cookie still doesn't expire so, even though the session is getting invalidated, the user isn't required to authenticate to get back into my web application after logging out.
In this thread, Jeanne mentioned using the SSOAuthenticator class to remove the cookie, but I can't say that I have any idea what that class is. Like I said before, this is all pretty much new stuff for me.
So, anyone have any ideas as to how I can programatically expire that cookie?