File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Removing the LtpaToken Cookie Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Removing the LtpaToken Cookie" Watch "Removing the LtpaToken Cookie" New topic

Removing the LtpaToken Cookie

Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
Hey folks,

I've been working on securing a web application that I've been working on and I've run into some difficulties. This is the first time I've ever been involved with securing a web application so this is all pretty much new ground for me. Just as a side note, I'm using WebSphere 5.1 as an app server.

Well, I've gotten almost everything squared away except for one thing. When a user descides to log out, I go ahead and invalidate their session. However, in order for WAS to see that user as "unauthenticated" again, I need to force the LtpaToken cookie to expire. Unfortunately, I can't seem to get that to work.

I've tried using this code in my logout procedure:

But that hasn't seemed to work at all. The cookie still doesn't expire so, even though the session is getting invalidated, the user isn't required to authenticate to get back into my web application after logging out.

In this thread, Jeanne mentioned using the SSOAuthenticator class to remove the cookie, but I can't say that I have any idea what that class is. Like I said before, this is all pretty much new stuff for me.

So, anyone have any ideas as to how I can programatically expire that cookie?


SCJP Tipline, etc.
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

If you search the websphere forum there should be other threads mentioning the LTPA session token and SSOAuthenticator, including where to find it.

One sec, I'll see if I can find the one I wrote...
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

this is the one I was thinking of. If you search websphere for LTPA and SSOAuthenticator separately you get a bunch of related hits.

Hope this helps,
Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 33102

Do you have access to a browser (like Firefox) that lets you see the headers? (Seeing the cookies aren't enough because https cookies aren't persisted.) This may help in debugging.

[OCA 8 book] [Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
I agree. Here's the link:
subject: Removing the LtpaToken Cookie
It's not a secret anymore!