0

I use /myaccount to let my users to manage their account and also to access to apps. When I launch an app and do not logout from this app, but from WSO2IS, the session for Apps is still valid.

Login to /myaccount with User1 : OK
Launch App(1) from /myaccount, I am logged as User1 : OK
Logout User1 from /myaccount : OK
Login to /myAccount with User2 : OK
Launch App(1) from /myaccount, I am still logged as User1 : NOK

How can I do to close all sessions when logout of User1?

Thank you for your support.

WSO2is v5.11.0 (Docker)

Community
  • 1
  • 1
PascalL
  • 25
  • 5

1 Answers1

0

If you enable SSO Session based binding for your apps, then the tokens issued for your apps will be bound to the sessions.

Then enable config Revoke tokens upon logout. This will revoke the tokens bound to the sessions when user logout.

enter image description here

So when the user logs out, all the tokens bound to the session will be revoked.

Piraveena Paralogarajah
  • 1,475
  • 2
  • 9
  • 18
  • Hello, Thank you Piraveena. It is what I did, and I tried again but the issue is still there. Any other idea? – PascalL Mar 15 '21 at 06:32
  • Did you check the status of the token? It should be revoked upon logout – Piraveena Paralogarajah Mar 15 '21 at 07:52
  • Hi, it seems not. I have to say that when I click from /myaccount to launch myApp(1), it opens the application in a new tab in Google Chrome. Despite the settings to bind the access token to the session as you advised, when I come back to /myaccount and click on logout, I can still continue to use myApp(1) even if the session is terminated as I am supposed to be disconnected. – PascalL Mar 16 '21 at 00:02
  • If you done the above configurations, tokens will be revoked and IDP sessions will be terminated. So then you need periodically check the token status and terminate the application session. In your case, I guess, you didn't terminate the application session. That shluld be done from application side – Piraveena Paralogarajah Mar 16 '21 at 04:07
  • Thank you Piraveena. I thought that when a user was logout from WSO2is, then all sessions related to this user were also closed for his applications. I just need to have to setup a short lifetime's session in WO2is to prevent as much as possible this type behavior. – PascalL Mar 21 '21 at 10:03