Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Removing the LtpaToken Cookie

 
Corey McGlone
Ranch Hand
Posts: 3271
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey folks,

I've been working on securing a web application that I've been working on and I've run into some difficulties. This is the first time I've ever been involved with securing a web application so this is all pretty much new ground for me. Just as a side note, I'm using WebSphere 5.1 as an app server.

Well, I've gotten almost everything squared away except for one thing. When a user descides to log out, I go ahead and invalidate their session. However, in order for WAS to see that user as "unauthenticated" again, I need to force the LtpaToken cookie to expire. Unfortunately, I can't seem to get that to work.

I've tried using this code in my logout procedure:



But that hasn't seemed to work at all. The cookie still doesn't expire so, even though the session is getting invalidated, the user isn't required to authenticate to get back into my web application after logging out.

In this thread, Jeanne mentioned using the SSOAuthenticator class to remove the cookie, but I can't say that I have any idea what that class is. Like I said before, this is all pretty much new stuff for me.

So, anyone have any ideas as to how I can programatically expire that cookie?

Thanks,
Corey
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you search the websphere forum there should be other threads mentioning the LTPA session token and SSOAuthenticator, including where to find it.

One sec, I'll see if I can find the one I wrote...
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
this is the one I was thinking of. If you search websphere for LTPA and SSOAuthenticator separately you get a bunch of related hits.

Hope this helps,
Dave.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34671
367
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Corey,
Do you have access to a browser (like Firefox) that lets you see the headers? (Seeing the cookies aren't enough because https cookies aren't persisted.) This may help in debugging.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic