This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Security and the fly likes How to Log out  when  auth-method is CLIENT-CERT? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to Log out  when  auth-method is CLIENT-CERT?" Watch "How to Log out  when  auth-method is CLIENT-CERT?" New topic
Author

How to Log out when auth-method is CLIENT-CERT?

Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
JBoss 4.2.4GA server. I guess this would be the same for other servers too.

Is there a way to log out user logged in with certificate and force browser to prompt for certificate selection again?

I have googled a bit, and it seems there is no elegant solution for the problem. Only way would be closing browser.

Is there someone with similar issue and better solution?

On Jboss site there is FAQ on:
http://www.jboss.org/community/docs/DOC-12198

The questio is on kind of similar question (realted to basic autentication):
Q5: How do I logout of a web application?
A5: Invalidate the web session
Q6: How do I logout with basic auth, I did invalidate the session?

A6: It did logout, but then the browser automatically logged back in with saved/cached information. Your web browser needs to be restarted, or its password setting cleared.


I have tried to invalidate session, no success. After invalidating session I was redirecting to HTTP, with same - no result, user remained logged in.

Any hints?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41162
    
  45
You're right that the browser will keep sending the certificate until the browser is shut down, just like with basic authentication.

If the application logic automatically starts a new session in the presence of a valid certificate, then there is no way to do this.


Ping & DNS - my free Android networking tools app
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How to Log out when auth-method is CLIENT-CERT?
 
Similar Threads
how does the servlet knows that the client has closed the browser
Issue in session manegement
How to block multiple logins of the same user
Clear session on Browser Close
Restrict Login from Multiple Sessions