WebSEAL - WAS 7 - Session Invalidation Fails to Clear WAS Session Cache

Question

I have a web app deployed on WAS 7 behind TAM WebSEAL 6.1, uses TAI, LTPA2 single sign-on User login and SSO is working perfectly. At logout, HTTPSession.invalidate() is invoked and https://<webseal url>/pkmslogout is called.

Problem is: After logout, WebSEAL session seems to clear, but the WebSphere JSESSIONID cookies stays. Also the session cache on the WAS has the old user information when logged in with new user.

Does anyone know, If I'm doing correct logout implementation? Is there any other configuration in SSO settings that protects this session cache to be deleted when session is invalidated?

Implementation of the log out code: logOutURL in the code below is the WebSEAL pkmslogout link

public void logout(ActionEvent event ){
    String logOutURL = (String) event.getComponent().getAttributes().get(ATTRIBUTE_NAME_LOGOUT_URL);        
    getSession().invalidate();
    try {
        FacesContext c = FacesContext.getCurrentInstance();
        if( c!= null )
        {
            c.getExternalContext().redirect(logOutURL);
        }
    } catch (IOException e) {
        log.error( "Exception while processing logout redirect.", e );
    }
}

Thank you.

Answer 1

Learnt form some other forum that "ibm_security_logout" from the WebSphere would help revoke the session. Details: http://www-01.ibm.com/support/docview.wss?uid=swg21254556

I'm yet to try this, I'll keep the forum posted.

Answer 2

On WebSphere 8.5.5 (maybe in older versions, too) you can set custom property.

Security -> Global Security -> Custom properties

com.ibm.ws.security.web.logoutOnHTTPSessionExpire=true