2

I have inherited some JAX-RS code with a logout function that appears to be properly "logging out" the user by redirecting to the login page, invalidating the session, and expiring the session cookies:

@POST
@Path("/logout")
public void logout(@Context HttpServletRequest req, @Context HttpServletResponse response) {
 
  req.getSession(false).invalidate();
  try {
      req.logout();
  } catch (ServletException e1) {
      e1.printStackTrace();
  }

  final Cookie[] cookies = req.getCookies();
  if (cookies != null) {
      for (final Cookie cookie : cookies) {
          cookie.setValue("");
          cookie.setPath("/");
          cookie.setMaxAge(0);
          response.addCookie(cookie);
     }
  }

  try {
      response.sendRedirect("/login");
  } catch (IOException e) {
      e.printStackTrace();
  }
}

However, if I fetch the below endpoint in curl after logging out, I can still get the username, implying that the cookies are still working:

@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/thisuser")
public Response thisUser() {
    
    try {
        return Response.status(Status.OK).entity(securityContext.getUserPrincipal().getName()).build();

    } catch (Exception e) {
        return Response.status(Status.FORBIDDEN).build();
    }
}

I am using this curl invocation but postman works too:

$ curl --location 'https://localhost:1234/thisuser' --header 'Cookie: JSESSIONID=[REDACTED]; LtpaToken2=[REDACTED]'

I have verified that:

  • the cookies are properly served after logging in.
  • after logging out in the browser, JSESSIONID has changed.
  • If I substitute completely made up values in the cookies I can't fetch the thisuser endpoint.

Yet legitimate cookies are never expired. What am I missing in the code? What else can I try?

Using IBM WebSphere Application Server 8.5. Java 1.8, and Servlet Spec 3.0.

Improve this question
11
  • Expiring the cookies simply tells the client, "please do not send this value again with the next request." But your cURL request is not affected by that, because you are explicitly telling it which cookie values to send. Commented Jul 3, 2025 at 8:02
  • You should actually logout before invalidating the session. Give it a try. Commented Jul 3, 2025 at 10:08
  • @BasilBourque WebSphere Application Server 8.5. Java 1.8. Servlet Spec 3.0 Commented Jul 3, 2025 at 15:10
  • @BalusC that doesn't make a difference. Commented Jul 3, 2025 at 15:12
  • 1
    I see you suddenly removed the [jaspic] tag I helpfully added in order to attract the right experts. In this case you might find helpful to know that request.logout() and securityContext mechanisms are actually part of JASPIC .. See also jakarta.ee/specifications/security/4.0/… Commented Jul 3, 2025 at 16:53
Related questions
0
How to clear all session cookies in an Ionic app on Android?
16
Can't delete cookie with AngularJS's $cookies
0
Old Session and cookies are referred while processing new HttpServletRequest in Spring
Load 6 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.