Spring Security Logout session is not invalidated

Question

I tried almost everything I could find on StackOverflow and elsewhere to make this working and this still does not work. I am using Spring Framework 4.1.6.RELEASE, Spring Securi

Answer 1

---

Update 2015-04-23 14:37:00 SOLVED

My problem is solved. Since I sent via ajax a POST to logout, I received the url where I am supposed to point my browser from my success logout handler. I have to manually point the browser to this location from my javascript with the window.location.href = new_url.

---

Update 2015-04-23 15:55:00 follow up

Note: I have to put this into a separated answer since I reached the limit of characters in a single post.

Here is a snippet of my javascript code to post via ajax requesting the logout:

    $('#deconnexion').click(function(event) {
        // Envoyer la requête
        var csrfToken = $("meta[name='_csrf']").attr("content");
        var csrfHeader = $("meta[name='_csrf_header']").attr("content");
        var csrf_header = { };
        csrf_header[csrfHeader] = csrfToken;
        $.ajax({
            headers: csrf_header,
            url: 'deconnexion',
            processData: false,
            type: "POST",
            contentType: "text/xml",
            dataType: "text",
            success: function(data, textStatus, xhr) {
            /* */
                console.log("Etat rapporté: " + xhr.status);
                console.log("Données: " + data);
                console.log("Etat description: " + textStatus);
                console.log("reponseText: " + xhr.responseText);
                console.log("URL redirection: " + xhr.getResponseHeader("Location"));
            /*  */
                //window.location.href = xhr.getResponseHeader("Location");
            },
            error: function(xhr, textStatus, thrownError) {
            /*
                console.log("Etat rapporté: " + xhr.status);
                console.log("Erreur description: " + thrownError);
                console.log("Etat description: " + textStatus);
                console.log("reponseText: " + xhr.responseText);
                */
                window.location.href = xhr.getResponseHeader("Location");
            }
        });
    });

I haven't yet tested the error conditions. In the script the window.location.href is commented for the test.

Here are the screenshots:

If there is something that can be done to let the browser and AJAX do the job, I am interested to know how I can do this.

Answer 2

Answering so you can close your question.

If you're using Spring Security's CSRF protection, you must POST to log out (though this is configurable I believe).

Can you do the logout POST with Javascript but non-AJAX? Like:

<!-- anywhere in your document: -->
<form:form action="deconnexion" id="logoutForm">
  <!-- csrf hidden input included automagically -->
</form:form>

<!-- in your menu: -->
<a href="#" onclick="document.forms.namedItem('logoutForm').submit()">Log out</a>