This discussion is archived
3 Replies Latest reply: Apr 19, 2013 8:31 AM by KirandeepKaur RSS

User1 logs out, JSESSIONID not deleted, User2 logs in and gets User1s Data

1003981 Newbie
Currently Being Moderated
We've searched the web for the better part of a year now to try to solve this, and are hoping someone somewhere has figured it out. We have SiteMinder in front of our Tomcat6, JBoss6 and 7, and WebLogic 10 servers. Trouble happens when a user logs into an application that generates a JSESSIONID in a location other than / in the browser, i.e. /foo/JSESSIONID<value>. When the user logs out, if the JSESSIONID cookie isn't located at /, it doesn't get removed. The next user comes along, authenticates to SiteMinder, goes into the same application, and since the JSESSIONID cookie still remains from the previous user, the second user sees the first user's data, which may be personal SAP data, Siebel, PeopleSoft, etc.

We have hundreds of developers; getting them to all store their JSESSIONID cookies in / (with some unique name either at the front or end of their application's JSESSIONID cookie) would be an arduous undertaking; enforcing it going forward would be even more difficult.

I've read countless posts across the Internet where other people have had this problem, but no good or usable solutions yet. "Tell the user to close the browser" isn't an option because we can't force them to do so (even though it's in their best interested to do so). The location of JSESSIONID will usually be unknown, and as far as I know, cannot be obtained from the browser, for security reasons. Each developer has the ability to store the cookie in any path the choose. (It's my understanding that they started using different paths because at one time it wasn't possible to rename the JSESSIONID (if it even is now), and having multiple applications storing JSESSIONID at / would cause the second one to cancel out the first one, the third one to cancel out the second one, etc, so a user could use only a single application at a time.

I hope I'm explaining this well enough, and that someone, somewhere, has come up with a solution to this.

Much oblige!
Sam
  • 1. Re: User1 logs out, JSESSIONID not deleted, User2 logs in and gets User1s Data
    Faisal Khan Expert
    Currently Being Moderated
    Just a wild suggestion that u can try..

    If its a secure url on Weblogic Server, u can enable SSL, so in addition to JSESSIONID another cookie will be created WL_AUTHCOOKIE.
    Only the same user will have access to the resources.. no other user...

    You architecture is not very clear to me.. nor its clear where Weblogic Server fits in...
  • 2. Re: User1 logs out, JSESSIONID not deleted, User2 logs in and gets User1s Data
    1003981 Newbie
    Currently Being Moderated
    My apologies about the ambiguity.

    Without being able to make a picture or drawing it's not so easy, but here's the steps that happen:

    In this example I'll use an app called FOO that User1 and User2 need to login to.

    User1 goes to our intranet and attempts to access FOO.

    User1's request is intercepted by SiteMinder.

    User1 authenticates to SiteMinder, at which time an SMSESSION cookie is created in the browser.

    If User1 is authorized to use FOO, he's then forwarded onto the FOO login.

    User1 authenticates to FOO, at which time a JSESSIONID cookie is created in the browser, but not at / (root). It may be created in /FOO/JSESSIONID<value>, or it may be elsewhere.

    User1 finishes his FOO session and logs out. The logout.shtml page terminates the SMESSION (SiteMinder) session for User1. However, it's can't remove the JSESSIONID cookie because it's not in / (root) in the browser. User1 logs out, but does not close the browser.

    User2 comes along behind User1, and wants to use the FOO application, using the same PC as User1.

    User2 attempts to launch FOO. SiteMinder intercepts the call and wants User2 to first authenticate to SiteMinder, which he does. SiteMinder generates an SMSESSION cookie for User2.

    User2 now attempts to login to FOO. But because the JSESSIONID cookie is still there (leftover from User1's session because it couldn't be removed), User2 is taken directly into User1's FOO information.

    This is much easier to view conceptually with a drawing, however hopefully this will explain the process a bit better. Thank you for your reply and effort to help with this. I'm very grateful.

    Sam
  • 3. Re: User1 logs out, JSESSIONID not deleted, User2 logs in and gets User1s Data
    KirandeepKaur Newbie
    Currently Being Moderated
    Is there only one application deployed ? Are we invalidation the session on logout like using session.invalidate() , if there is only one application this should invalidate the session.But is there are more applications then you would have to make use of any one of following :

    weblogic.servlet.security.ServletAuthentication.invalidateAll()

    OR

    weblogic.servlet.security.ServletAuthentication.killCookie()

    This may give you more clear idea on these funcations:

    http://docs.oracle.com/cd/E24329_01/web.1211/e21049/sessions.htm#i139724

    Hope this helps.

    Regards,
    Kirandeep

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points