Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-1434

Cookie not cleared after logout, Shiro session remains active

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.12.1
    • Fix Version/s: 1.13.0
    • Component/s: Core: Security: Shiro
    • Labels:
      None
    • Environment:
      OSX

      Description

      I have some files that I have stored in the resource folder, which I only want to be available for authenticated users. So I have added the following contents to my shiro.ini file:

      [main]
      authc.loginUrl = /wicket/signin
       
      [urls]
      /dist/** = authc
      

      When I am not authenticated, retrieving a page from that folder correctly brings me to Wicket. After logging in, the resource becomes available. However, when I log out, either through the TertiaryActionsPanel in Wicket, or using the logout call from the UserResource, it seems that my cookie is not cleared. I am logged out from Wicket, but I can still access the resources (until I clear my cookie on client side).

      In this case i'm trying to protect a few resources, which is a kind of ridiculous use case, but I think that this also applies for other servlet filters, which may lead to some unwanted results.

        Attachments

          Activity

            People

            • Assignee:
              danhaywood Dan Haywood
              Reporter:
              jwgmeligmeyling Jan-Willem Gmelig Meyling
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: