Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Rest Session not getting invalidated after invalidating UI session  RSS feed

 
RaviD Sharma
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I have 2 war in 1 EAR.
War A corresponds to UI
War B corresponds to Rest

1) From War A, I login to the application and then fetch some users that is a rest call. I get the response back from rest in json form that ui consumes and display the data on page.
2) Now I click on the logout link from ui jsp. This logs out the session from Ui. I use <form data-dojo-type="dijit/form/Form" based logout.
3) I then go to the proxy (using burp) and manually request the rest call which I made in step no 1), the rest gives the response back with the same json object returned in step no 1)
This shows that the logout action on step 2) is invalidated the session from War A (ui war) but the session or cookie based from WAR B (rest war) is not invalidated.

Expected outcome:
After I Logout from War A(ui war), the session must also get invalidated from war B (rest war) and manually request from proxy should not get the same response object as received in step 1)

Solution to this is highly appreciable.

Thanks and regards.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
2) Now I click on the logout link from ui jsp. This logs out the session from Ui. I use <form data-dojo-type="dijit/form/Form" based logout.


What is the code that handles that form click?
Apparently it does not do what you expect.

Bill
>
 
RaviD Sharma
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Bill for your reply.

Here is the code, I call ibm_security_logout action

<form data-dojo-type="dijit/form/Form" role="form" id="SSUILogout" action="ibm_security_logout" method="post">
<input type="hidden" aria-label="logout" title="logout" name="logoutExitPage" value="/" >
<input type="submit" style="visibility:hidden">
</form>

 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That is not what I meant.

Since invalidation of a session takes place on the server side, the question is - what code on the servlet side is supposed to be executed by that POST with those parameter values?

If this was my problem I would be instrumenting that servlet with logging statements to see what it is really getting as parameters and what it is doing. Logging cookie ids would be a good start.

Bill
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!