My Oracle Support Banner

ObUserSession.logoff() Method Does Not Clean Up Anything On Access Server; ObSSOCookie Can Still Be Used On Other Session (Doc ID 394365.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 6.1.1 to 10.1.4.0.1 - Release: to 10g
Information in this document applies to any platform.
Checked for relevance on 12-Apr-2010

Symptoms

ObUserSession.logoff() method does not seems to clean up anything on the access server. It just sets the local session token value to loggedout.     If this is not the way to kill the session on the server, how do you do it?

The cookie in the user's browser can be deleted, but the concern is that even after a logout is done on a token and put that back to the browser in the ObSSOCookie; someone could have captured a valid token from previous requests and use that one even after the token is invalidated. The bottom line is, server does need to know that the token was invalidated, because there can still
be unauthorized access to a resource after we invalidated a token.

### Steps to Reproduce Problem ###
1.  Call the obusersession.logoff() method

2.  Create a new obusersession using the original token

3.  Call the obusersession.isAuthenticated() method

You will find out that the user is still authenticated.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
  Symptoms
  Cause
  Solution

Platforms: 1-914CU;

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.