我通常使用JSP处理站点注销,该JSP执行<%= session.invalidate()%>,然后重定向到主页.现在,我正在使用LTPA和SSL证书在WebSphere上运行身份验证. Session.invalidate()不起作用.有人建议这是因为WAS正在使用LTPA. LTPA创建一个不会被session.invalidate清除的身份验证cookie(LtpaToken2).
I normally handle site logout with a JSP that executes <%= session.invalidate() %> then redirects to the home page. Now I am running on WebSphere authenticating using LTPA and a SSL Certificate. Session.invalidate() does not work. Someone suggested it is because WAS is using LTPA. LTPA creates an authentication cookie (LtpaToken2) that is not cleared by session.invalidate.
IBM确实可以使用专有的注销JSP ***,但是我不想使用特定于供应商的解决方案.是否有人解决了注销LTPA cookie而不绑定到供应商的J2EE容器的会话注销?
IBM does have a proprietary logout JSP*** I could use, but I don't want to use a vendor specific solution. Has anybody tackled a session logout that clears the LTPA cookie without being tied to a vendor's J2EE container?
推荐答案我找到了解决方法:
- 在管理控制台中,单击Security> Global security
- 在Custom properties下,单击New
- 在名称"字段中,输入com.ibm.ws.security.web.logoutOnHTTPSessionExpire
- 在值"字段中,输入true
- 单击Apply和Save将更改保存到您的配置中
- 重新同步并重新启动服务器
- In the administrative console, click Security > Global security
- Under Custom properties, click New
- In the Name field, enter com.ibm.ws.security.web.logoutOnHTTPSessionExpire
- In the Values field, enter true
- Click Apply and Save to save the changes to your configuration
- Resynchronize and restart the server
更多推荐
会话无效不适用于基于LTPA的安全性
发布评论