开发者

Can't log out from Oracle SSO

I’m building a J2EE web application which uses Oracle SSO with an OID back-end as the means for authenticating users.

If a user wants to use the application, first he must provide a valid login/password at SSO's login page.

When the user is done using the application, he may click on the logout button; behind the scenes, the action associated with this button invalidates the user’s session and clears up the cookies using the following Java code:

private void clearCookies(HttpServletResponse res, HttpServletRequest req) {
    res.setContentType("text/html");
    for (Cookie cookie : req.getCookies()) {
        cookie.setMaxAge(0);
        cookie.setPath("/");
        cookie.setDomain(req.getHeader("host"));
        res.addCookie(cookie);
    }
}

Also, I have an onclick JavaScript event associated with the logout button, which is supposed to delete the SSO cookies by calling the delOblixCookie() function (as found in some Oracle forum):

function delCookie(name, path, domain) {
  var today = new Date();
  // minus 2 days
  var deleteDate = new Date(today.getTime() - 48 * 60 * 60 * 1000);
  var cookie = name + "="
    + ((path == null) ? "" : "; path=" + path)
    + ((domain == null) ? "" : "; domain=" + domain)
    + "; expires=" + deleteDate;
  document.cookie = cookie;
}

function delOblixCookie() {
  // set focus to ok button
  var isNetscape = (document.layers);
  if (isNetscape == false || navigator.appVersion.charAt开发者_如何学Python(0) >= 5) {
    for (var i=0; i<document.links.length; i++) {
      if (document.links.href == "javascript:top.close()") {
        document.links.focus();
        break;
      }
    }
  }
  delCookie('ObTEMC', '/');
  delCookie('ObSSOCookie', '/');

  // in case cookieDomain is configured delete same cookie to all subdomains
  var subdomain;
  var domain = new String(document.domain);
  var index = domain.indexOf(".");
  while (index > 0) {
    subdomain = domain.substring(index, domain.length);
    if (subdomain.indexOf(".", 1) > 0) {
      delCookie('ObTEMC', '/', subdomain);
      delCookie('ObSSOCookie', '/', subdomain);
    }
    domain = subdomain;
    index = domain.indexOf(".", 1);
  }
}

However, my users are not getting logged out from SSO after they hit the logout button: although a new session is created if they try to access the index page, the SSO login page is not presented to them and they can go straight to the main page without having to authenticate. Only if they manually delete the cookies from the browser, the login page shows up again - not what I need: the users must provide their login/password every time they log out from the application, so I believe there must be something wrong in the code that deletes the cookies.

I’d greatly appreciate any help with this problem, thanks in advance.


Oracle have two web SSO products - Oracle Access Manager and Oracle Single Sign On. The Javascript code you have posted is for Access Manager, so it won't help you. Besides, you shouldn't need to do anything in Javascript to log the user out.

Have a look at the logout section of the OSSO docs. It recommends using the following code:

// Clear application session, if any
String l_return_url := return url to your application
response.setHeader( "Osso-Return-Url", l_return_url);
response.sendError( 470, "Oracle SSO" );


You need a page, with a name of logout, that includes those JavaScript functions.

That's what the documentation says:

The WebGate logs a user out when it receives a URL containing "logout." (including the "."), with the exceptions of logout.gif and logout.jpg, for example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value of the ObSSOCookie is set to "logout.


Cookies don't "delete" untill the browser is closed.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜