Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-20885

Web SSO invalidation failing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 37.0.0.Final
    • Web (Undertow)
    • None
    • Hide

      Attached a war for testing and setup_wildfly.cli with minimum settings for reproducing.

      1. Apply setup_wildfly.cli
      2. Build and deploy single-web-test.war
      3. Go to /single-web-test/login, login as testuser:1
      4. Observe session and SSO cookies
      5. Go to /single-web-test/logout
      6. Observe that the session has changed, but the user is still authenticated, and the SSO cookie has not changed.
      Show
      Attached a war for testing and setup_wildfly.cli with minimum settings for reproducing. Apply setup_wildfly.cli Build and deploy single-web-test.war Go to /single-web-test/login, login as testuser:1 Observe session and SSO cookies Go to /single-web-test/logout Observe that the session has changed, but the user is still authenticated, and the SSO cookie has not changed.
    • ---
    • ---

      After upgrade to Wildfly 37.0.0.Final, the Web SSO invalidation on logout seems to have stopped working.

       

      After a HttpServletRequest.logout() and HttpSession.invalidate(), when using the single-sign-on setting on an Undertow application-security-domain, the user will be given a new session, but will stay authenticated.

       

      This behavior was not present on Wildfly 36.0.1.Final

        1. single-web.tar.gz
          2 kB

              bstansbe@redhat.com Brian Stansberry
              gustav_brostrom Gustav Broström
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: