Wso2 IS adaptive authentication clear session on backbutton click

Question

I am using wso2 IS 5.11 configured with basic auth(login page) and password reset enforcer which will force user to update password if it is expired.

But after basic authentication(login page) sucess if password is expired the wso2 IS is routing to password reset page but on click of back button it is routing to basic auth page or login page but once user fills another username and password and if that user password is also expired it'll route to password reset page but the autneticated user is still the first one So, first user password will get updated.

So, to tackle this, as I am using SAML for authentication with adaptive authentication, is there any way we can clear context and route back to login page with some message.

Answer 1

AFAIU you are doing a browser back in between the auth flow. Doing the browser back at this point will not go through again via the adaptive script. Even if you provide an incorrect username and a password you will again go to the password reset page. As per my understanding, we cannot cater this requirement via the adaptive function.

The approach described here might be a possible fix, but since this is in between the auth flow, there is a good change that this might not work.

The better way to do is that you can improve the pwd-reset.jsp to display the username that was there in the session.

You can get the query string and get the username param from it.

String queryString = request.getQueryString();

The above code will give you all the query parameters. You can strip it by '&' char and get the username param.