User Sessions May be Compromised due to Incomplete Log Out Procedure

(Doc ID 1682717.1)

Last updated on JUNE 08, 2017

Applies to:

Oracle Retail Invoice Matching - Version 13.1.5.1 and later
Information in this document applies to any platform.

Symptoms

ReIM (Retail Invoice Matching) application does not log out users correctly. When logging off, users are requested to close their browsers screen. If a user does not do so but browses to another page of the application instead, he will find himself to be logged on again.Even if a user does close the browser screen he will technically still be logged on.This can be determined from the behaviour of the application when the original session cookie used by the application is restored. The user is also logged into the application again.Both observation are an indication that the session is not properly destroyed at the server side.

Steps To Recreate:
1.Make sure Reim application is configured through Single Sign On (SSO) session.
2.Enter the SSO username and password.
3.User can see the application home page.
4.Click the logoff link.
5.The ReIM component does not log out users correctly. When logging off, users are requested to close their browsers screen. If a user does not do so but browses to another page of the application instead, he will find himself to be logged on-again.
6.Even if a user does close the browser screen, technically still be logged on. It’s not logging the SSO session.Application should correctly logout the SSO session.

 

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms