This content has been marked as final. Show 3 replies
Just a wild suggestion that u can try..
If its a secure url on Weblogic Server, u can enable SSL, so in addition to JSESSIONID another cookie will be created WL_AUTHCOOKIE.
Only the same user will have access to the resources.. no other user...
You architecture is not very clear to me.. nor its clear where Weblogic Server fits in...
My apologies about the ambiguity.
Without being able to make a picture or drawing it's not so easy, but here's the steps that happen:
In this example I'll use an app called FOO that User1 and User2 need to login to.
User1 goes to our intranet and attempts to access FOO.
User1's request is intercepted by SiteMinder.
User1 authenticates to SiteMinder, at which time an SMSESSION cookie is created in the browser.
If User1 is authorized to use FOO, he's then forwarded onto the FOO login.
User1 authenticates to FOO, at which time a JSESSIONID cookie is created in the browser, but not at / (root). It may be created in /FOO/JSESSIONID<value>, or it may be elsewhere.
User1 finishes his FOO session and logs out. The logout.shtml page terminates the SMESSION (SiteMinder) session for User1. However, it's can't remove the JSESSIONID cookie because it's not in / (root) in the browser. User1 logs out, but does not close the browser.
User2 comes along behind User1, and wants to use the FOO application, using the same PC as User1.
User2 attempts to launch FOO. SiteMinder intercepts the call and wants User2 to first authenticate to SiteMinder, which he does. SiteMinder generates an SMSESSION cookie for User2.
User2 now attempts to login to FOO. But because the JSESSIONID cookie is still there (leftover from User1's session because it couldn't be removed), User2 is taken directly into User1's FOO information.
This is much easier to view conceptually with a drawing, however hopefully this will explain the process a bit better. Thank you for your reply and effort to help with this. I'm very grateful.
Is there only one application deployed ? Are we invalidation the session on logout like using session.invalidate() , if there is only one application this should invalidate the session.But is there are more applications then you would have to make use of any one of following :
This may give you more clear idea on these funcations:
Hope this helps.