ObUserSession.logoff() Method Does Not Clean Up Anything On Access Server; ObSSOCookie Can Still Be Used On Other Session (Doc ID 394365.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 6.1.1 to 10.1.4.0.1 - Release: to 10g
Information in this document applies to any platform.
Checked for relevance on 12-Apr-2010

Symptoms

ObUserSession.logoff() method does not seems to clean up anything on the access server. It just sets the local session token value to loggedout.     If this is not the way to kill the session on the server, how do you do it?

The cookie in the user's browser can be deleted, but the concern is that even after a logout is done on a token and put that back to the browser in the ObSSOCookie; someone could have captured a valid token from previous requests and use that one even after the token is invalidated. The bottom line is, server does need to know that the token was invalidated, because there can still
be unauthorized access to a resource after we invalidated a token.

### Steps to Reproduce Problem ###
1.  Call the obusersession.logoff() method

2.  Create a new obusersession using the original token

3.  Call the obusersession.isAuthenticated() method

You will find out that the user is still authenticated.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms