Reputation: 338
Spring-Security with /j_spring_security_logout possibly not logging out fully
So I am trying to determine if this is a bug or browser caching or if I am missing something, but when I log out I can access any page that I have previously accessed before. I even have an ajax call to a rest endpoint and when I call that I print the response and get a 200 ok.
Now if I click logout it returns to the login page with the invalid session url params. So it looks like it is attempting to remove the session, plus if I close the browser fully, not just the tab I can no longer access the pages I was able to access before. But if I don't close the browser I can access any pages that I have already accessed, pages I have not accessed yet forward me to the login page. It makes me wonder if its a browser cache issue, but the 200ok on the ajax request makes me doubt that.
Spring-Security version 3.1.0
Here is my configuration for the logout.
<logout invalidate-session="true" logout-success-url="/login-page.html?logout=true"
logout-url="/j_spring_security_logout" />
<session-management invalid-session-url="/login-page.html?session=invalid">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
in the web.xml i have added this listener
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
UPDATE
It was indeed a browser cache issue, so to fix it I added to the DispatcherServlet xml
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="cacheSeconds" value="0" />
</bean>
Also added the META tags to head
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
This now disables caching for all my pages and rest methods.
Upvotes: 3
Views: 3811
Answers (1)
Reputation: 341003
Indeed it really looks like a caching issue:
- Try accessing already visited pages with some extra random parameter
- ...try the same with AJAX call (just append
?random=+Math.random(). - Also try
POSTing using AJAX, as GET is much more likely being cached. - Finally have a look at Firebug or any other monitoring tool (or access log on the server side) to confirm the request was cached. If caching is the problem, investigate why browser decides to cache your resources.
Upvotes: 4
Related Questions
- Spring Security logout does not work - does not clear security context and authenticated user still exists
- Spring Boot Security Logout Does Not Invalidate Session
- Call to j_spring_security_logout not working
- Spring security - unable to logout
- Issue with Spring security's logout
- spring authentication: can't logout
- Spring security logout goes to j_spring_security_logout
- Spring Security 3.2 Can't Logout
- spring security j_spring_security logout problem
- Spring Security - Can't Login After Clicking Logout