问题
I normally handle site logout with a JSP that executes <%= session.invalidate() %> then redirects to the home page. Now I am running on WebSphere authenticating using LTPA and a SSL Certificate. Session.invalidate() does not work. Someone suggested it is because WAS is using LTPA. LTPA creates an authentication cookie (LtpaToken2) that is not cleared by session.invalidate.
IBM does have a proprietary logout JSP*** I could use, but I don't want to use a vendor specific solution. Has anybody tackled a session logout that clears the LTPA cookie without being tied to a vendor's J2EE container?
回答1:
I have found solution:
- In the administrative console, click
Security>Global security - Under
Custom properties, clickNew - In the Name field, enter
com.ibm.ws.security.web.logoutOnHTTPSessionExpire - In the Values field, enter
true - Click
ApplyandSaveto save the changes to your configuration - Resynchronize and restart the server
来源:https://stackoverflow.com/questions/18898141/session-invalidate-not-working-with-ltpa-based-security