2

I've encountered quite unexpected problem using Tomcat and CAS authorization. I just cannot logout in Firefox. I'm redirected to the logout page, but as soon as I reenter application url in the address bar, it is opened as if I'm logged (and I'm logged actually!).

First I've take a notable amount of attempts to fix something in tomcat config, then I've read logs, but nothing helped me actually before it comes up to my mind to check logout behavior in other browsers.

In other browsers everything work just as expected. And I'm just stuck and would appreciate if one will give me a hint.

I guess [this question][1] is in some way relative with mine, but, helas, disabling caching on the page which should me logouted doesn't help either.

UPD: Some debug information. Firefox's version is 7.0.1, unfortunately, it is not a public application and I can not provide any url. It looks like response.sendRedirect output is something that Firefox is missing. Here is minimal code that works in any browser except Firefox.

 session.invalidate();
 response.sendRedirect("https://app:8552/cas/logout");

HEADERS 1st REQUEST - which invalidates session and redirect to CAS logout page

REQUEST HEADERS

  • Host: dev.service.net
  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
  • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • Accept-Language: en-us,en;q=0.5
  • Accept-Encoding: gzip, deflate
  • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  • Connection: keep-alive
  • Referer: http://dev.service.net/
  • Cookie: JSESSIONID=53B9469EFE9F130E9694F7406BFAB755

RESPONSE HEADERS

  • Server: nginx/1.0.4
  • Date: Thu, 20 Oct 2011 09:20:45 GMT
  • Content-Type: text/html
  • Content-Length: 184
  • Location: https://dev:8552/cas/logout

2nd REQUEST - cas logout page itself

REQUEST HEADERS

  • Host: dev:8552
  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
  • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • Accept-Language: en-us,en;q=0.5
  • Accept-Encoding: gzip, deflate
  • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  • Connection: keep-alive
  • Referer: http://dev.service.net/
  • Cookie: JSESSIONID=8A68F008825A0F0D14C6BF803E1332CF; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true

RESPONSE HEADERS

  • Server: Apache-Coyote/1.1
  • Pragma: no-cache
  • Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • Cache-Control: no-cache, no-store
  • Content-Type: text/html;charset=UTF-8
  • Content-Language: en-US
  • Content-Length: 1226
  • Date: Thu, 20 Oct 2011 15:53:57 GMT

3rd REQUEST - we are retuninig to the page which actually should redirect us to login page, but it does not.

REQUEST HEADERS

  • Host: dev.service.net
  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
  • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • Accept-Language: en-us,en;q=0.5
  • Accept-Encoding: gzip, deflate
  • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  • Connection: keep-alive
  • Cookie: JSESSIONID=53B9469EFE9F130E9694F7406BFAB755

RESPONSE HEADERS

  • Server: Apache-Coyote/1.1
  • Pragma: no-cache
  • Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • Cache-Control: no-cache, no-store
  • Content-Type: text/html;charset=UTF-8
  • Content-Language: en-US
  • Content-Length: 1226
  • Date: Thu, 20 Oct 2011 13:30:51 GMT
BalusC
  • 992,635
  • 352
  • 3,478
  • 3,452
shabunc
  • 17,863
  • 15
  • 68
  • 96
  • Which version of Firefox? Do you have a live link to the site? – Matt Ball Oct 20 '11 at 13:33
  • @Matt Ball, provided this information in question. Thank you for noting it. – shabunc Oct 20 '11 at 13:40
  • How exactly do you logout? Do you invalidate the session? Can you provide HTTP request and response headers of the logout and the subsequent request wherein you got apparently auto-logged-in? You can collect them using Firebug. – BalusC Oct 20 '11 at 13:53
  • @BalusC - provided header, updated question. – shabunc Oct 20 '11 at 14:11
  • That are alone the request headers. Please provide response headers as well. Also please provide the headers of the subsequent request/response. – BalusC Oct 20 '11 at 14:16
  • @BalusC - by subsequent you mean server response? Just a sec and I'll add them? – shabunc Oct 20 '11 at 14:18
  • No.. The request which you sent after you're being logged out. The one for which you're apparently logged in again. – BalusC Oct 20 '11 at 14:22
  • That's better. Now still the subsequent request yet. The one which you're talking about with "but as soon as I reenter application url in the address bar, it is opened as if I'm logged" in your question. Please note that the `must-revalidate` is still missing in cache control response header of the redirected request. – BalusC Oct 20 '11 at 14:28
  • You're mixing request/response headers. You showed alone the request headers. The response headers are missing. – BalusC Oct 20 '11 at 14:33
  • BalusC, added last bunch of headers. Yes, this was minimal set which does not works. No I'll retry again, with must-revalidate. Anyway, thank you for helping! – shabunc Oct 20 '11 at 14:35
  • It's not entirely solved, I see in the last request headers that the cookie has changed. Please redo this all in a single go and update the request and response headers accordingly. Please do not confuse request and response headers. The request headers are the ones which you (the browser) has sent and the response headers are the ones which the server has returned. – BalusC Oct 20 '11 at 14:42
  • @BalusC, thank you for being helpful, I really appreciate it. I do know what are response headers ))), it is that just I was a bit confused editinf big text whithout editor. I've edited tha question and added all headers which can give a hint. – shabunc Oct 20 '11 at 16:10
  • Better, but the response headers of the last request are *actually* the same as its request headers. But I think I see the cause. I'll post an answer. – BalusC Oct 20 '11 at 16:19

1 Answers1

2

According to the headers, you're maintaining two different sessions on two different hosts. When you request a logout on the first host, you're redirected to the second host (which uses a different session cookie). The session cookie of the second host is in turn indeed invalidated (according to the presence of the Set-Cookie header). But based on the last request, the session has not been recreated on the server side (there is no Set-Cookie header). This means that session.invalidate() before response.sendRedirect() has failed somehow, or that the page is actually requested from the browser cache.

In Firebug you should be able to see if the page is requested from the browser cache by checking the text color of the request in the Net tab. If it's grayed out, then it means that it's been served from the browser cache. For Firefox, the must-revalidate header is actually mandatory next to the no-cache, no-store headers. You need to configure your server to add that entry to the header, or to change/create a Filter for that.

See also:

Community
  • 1
  • 1
BalusC
  • 992,635
  • 352
  • 3,478
  • 3,452
  • thank you for this answer and for being patient so long))) Helas, only restarting firefox helps. indeed very strange issue. When I'll find out what is wrong, I will give you know. – shabunc Oct 20 '11 at 17:15