Tomcat 6->8 upgrade breaks logout script?

[Baron Fujimoto <ba...@hawaii.edu>]

I hope someone may be able to provide some insight or a solution to a
problem we encountered after I upgraded from Tomcat 6 to 8. We're using
Tomcat as the servlet container for our Shibboleth IdP SSO, which we use
to authenticate to Google Apps. Google allows you to configure a URL used
for logout. We have this pointed at a logout.jsp page that basically does
the following (excerpted code cribbed from the shibboleth-users list):

<https://groups.google.com/forum/#!msg/shibboleth-users/CFkau-FHCsA/yx7KRO9xMCoJ>
---------------------
Cookie c;

c = new Cookie("JSESSIONID", null);
c.setPath("/idp");
c.setMaxAge(0);
response.addCookie(c);

c = new Cookie("_idp_session", null);
c.setPath("/idp");
c.setMaxAge(0);
response.addCookie(c);

session.invalidate();
---------------------

This was working until I upgraded from Tomcat 6 to Tomcat 8. Since then,
the cookies no longer seem to get wiped. Users are still logged in if
they revist any of the Google Apps.

Any suggestions or pointers on how to get this working again would
be most appreciated.

Aloha,
-baron
-- 
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6->8 upgrade breaks logout script?

[Baron Fujimoto <ba...@hawaii.edu>]

On Fri, Mar 20, 2015 at 05:46:42PM -0400, Christopher Schultz wrote:
>
>On 3/20/15 4:27 PM, Baron Fujimoto wrote:
>> I hope someone may be able to provide some insight or a solution to
>> a problem we encountered after I upgraded from Tomcat 6 to 8. We're
>> using Tomcat as the servlet container for our Shibboleth IdP SSO,
>> which we use to authenticate to Google Apps. Google allows you to
>> configure a URL used for logout. We have this pointed at a
>> logout.jsp page that basically does the following (excerpted code
>> cribbed from the shibboleth-users list):
>> 
>> <https://groups.google.com/forum/#!msg/shibboleth-users/CFkau-FHCsA/yx7KRO9xMCoJ>
>>
>> 
>- ---------------------
>> Cookie c;
>> 
>> c = new Cookie("JSESSIONID", null); c.setPath("/idp"); 
>> c.setMaxAge(0); response.addCookie(c);
>> 
>> c = new Cookie("_idp_session", null); c.setPath("/idp"); 
>> c.setMaxAge(0); response.addCookie(c);
>> 
>> session.invalidate(); ---------------------
>> 
>> This was working until I upgraded from Tomcat 6 to Tomcat 8. Since
>> then, the cookies no longer seem to get wiped. Users are still
>> logged in if they revist any of the Google Apps.
>> 
>> Any suggestions or pointers on how to get this working again would 
>> be most appreciated.
>
>Try adding a trailing "/" onto the end of the path:
>
>   c.setPath("/idp/");

Ok, that seems to work. So mahalo for that! But I'd feel a lot better if
I knew *why* that worked, and how I should have been able to figure that
out myself.

What I find even more confusing is that on one system, if revert to a
version of the script that doesn't add the trailing "/", it still works,
but on another system, if I back out the change, it goes back to being
broken. WAT?

-baron
-- 
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6->8 upgrade breaks logout script?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Baron,

On 3/20/15 4:27 PM, Baron Fujimoto wrote:
> I hope someone may be able to provide some insight or a solution to
> a problem we encountered after I upgraded from Tomcat 6 to 8. We're
> using Tomcat as the servlet container for our Shibboleth IdP SSO,
> which we use to authenticate to Google Apps. Google allows you to
> configure a URL used for logout. We have this pointed at a
> logout.jsp page that basically does the following (excerpted code
> cribbed from the shibboleth-users list):
> 
> <https://groups.google.com/forum/#!msg/shibboleth-users/CFkau-FHCsA/yx7KRO9xMCoJ>
>
> 
- ---------------------
> Cookie c;
> 
> c = new Cookie("JSESSIONID", null); c.setPath("/idp"); 
> c.setMaxAge(0); response.addCookie(c);
> 
> c = new Cookie("_idp_session", null); c.setPath("/idp"); 
> c.setMaxAge(0); response.addCookie(c);
> 
> session.invalidate(); ---------------------
> 
> This was working until I upgraded from Tomcat 6 to Tomcat 8. Since
> then, the cookies no longer seem to get wiped. Users are still
> logged in if they revist any of the Google Apps.
> 
> Any suggestions or pointers on how to get this working again would 
> be most appreciated.

Try adding a trailing "/" onto the end of the path:

   c.setPath("/idp/");

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVDJVCAAoJEBzwKT+lPKRYVSIP/3Z/oE5k8zaG+rjq9nfTpHFL
LQ4BivQ1AHtNczZNk4CrtpWC2+ae1FhWFCYTB4IVqd2ZaS1Iah7DDVGgbwdF0ZBv
TJT5l76C+wSpC4GQqZ6mlkkUn0KjC8OqWC5oJQ4Fk3zfJXZ4mfxrK55ApptZUAaY
Nh1aDAcGDiomKKuNHCaQz1Q4CTBNNpMSRLN7XsRPCh/WZVMMDIlZVDTEkTB/mmid
5AxrWUnSeAaDuN3Koa54N2XrasvdW4mBSA/41GGOCu11awoDoQD3ss9lq3ruV64K
X+YiBRDkUmGB6sKrxdu2mA8wEr2+8UeY6/VbIcg6p/iujx2iLV26d6z/t3FsBMDa
vmtzlFtciHqiLCeD8yNaCTKRq02pfN5VmugXtO4GrTjn2ytXasMtCtOBm53XokeL
m4iyKtFpziNqK4qhB6kF2VjvA2aAq17+ub9NsCWYI7l+lEuXtoxT2EvLrzliUPNH
KDa7dBYD4+os00iaBlWUaL6SmPMGH1es2sh6OK17o+0bDVjAV1OIZaFrhyKb3FJn
eew0rxK5SJIlxexaSwuDU1LNKdnDd8g3qRvf1SBNP/MMi/FH9nNK6lcsE3vB14Xc
7hL5Wcgi1/Mdh5PZsfwtBTz8OyjQ+khcuK6ZF2CAJTOr98JPLIy2/RrdAwgDJeHM
oR8IZ/Da2ZrwvqUG8oQr
=WzOR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org