2

When I log out of an application on WebSphere and back on, the LTPA token is unchanged. I thought it would change because session tokens are supposed to be unpredictable.

ᄂ ᄀ
  • 5,669
  • 6
  • 43
  • 57
Brijesh
  • 21
  • 2

2 Answers2

1

What do you when you log out of your application?

Are you invalidating the LTPA cookie?

If not, the browser has the LTPA cookie which tell the APp Server that you are authenticated as far as it is concerned.

Do not assume that session ID and HTTP Sessions and LTPA are one and the same.

ᄂ ᄀ
  • 5,669
  • 6
  • 43
  • 57
Manglu
  • 10,744
  • 12
  • 44
  • 57
  • 1
    Also refer to: http://download.boulder.ibm.com/ibmdl/pub/software/dw/wes/pdf/0611_botzum-WAS-60-security-programming-hints.pdf This does not provide you the exact answer to your question but does provide broad info that is useful for you. Using ibm_security_logoutURL is a good option to logout and remove the LTPA cookie from the browser. HTH Manglu – Manglu Aug 09 '10 at 04:32
1

Session cookies (JSESSIONID) do not change on several product versions when logging out. This is because unauthenticated users may also have sessions. There is no actual problem there. The SSO cookies (LTPAKEY and LTPAKEY2) will get invalidated on any proper logout.

It is also possible that your application is faulty. In that case what you have is a custom authentication system built into your system not taking into account the WebSphere Application Server provided mechanisms properly. The applications should probably call for real invalidation, for example.

erloewe
  • 1,319
  • 9
  • 20