-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.0 Enterprise
-
Fix Version/s: 3.4.a Community
-
Component/s: Repository
-
Labels:None
Monitoring the tomcat sessions and the http requests/responses, we can see that when a session is started via startSession, an http session is created and a cookie is sent. But when the session is ended via endSession, the http session is not invalidated and a another session is created.
The cookie should be sent when ending a session so that the http session can be invalidated.
This behaviour seems to be present on version 2.1+
We could add in AuthenticationWebService#endSession something like :
HttpServletRequest req = (HttpServletRequest)
MessageContext.getCurrentContext().getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
if (req.getSession(false) != null)
We would also need to modify AuthenticationUtils to send the session cookie when ending a session.