Can not log out from Tomcat using Firefox

2
votes

I've encountered quite unexpected problem using Tomcat and CAS authorization. I just cannot logout in Firefox. I'm redirected to the logout page, but as soon as I reenter application url in the address bar, it is opened as if I'm logged (and I'm logged actually!).

First I've take a notable amount of attempts to fix something in tomcat config, then I've read logs, but nothing helped me actually before it comes up to my mind to check logout behavior in other browsers.

In other browsers everything work just as expected. And I'm just stuck and would appreciate if one will give me a hint.

I guess [this question][1] is in some way relative with mine, but, helas, disabling caching on the page which should me logouted doesn't help either.

UPD: Some debug information. Firefox's version is 7.0.1, unfortunately, it is not a public application and I can not provide any url. It looks like response.sendRedirect output is something that Firefox is missing. Here is minimal code that works in any browser except Firefox.

 session.invalidate();
 response.sendRedirect("https://app:8552/cas/logout");

HEADERS 1st REQUEST - which invalidates session and redirect to CAS logout page

REQUEST HEADERS

  • Host: dev.service.net
  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
  • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • Accept-Language: en-us,en;q=0.5
  • Accept-Encoding: gzip, deflate
  • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  • Connection: keep-alive
  • Referer: http://dev.service.net/
  • Cookie: JSESSIONID=53B9469EFE9F130E9694F7406BFAB755

RESPONSE HEADERS

  • Server: nginx/1.0.4
  • Date: Thu, 20 Oct 2011 09:20:45 GMT
  • Content-Type: text/html
  • Content-Length: 184
  • Location: https://dev:8552/cas/logout

2nd REQUEST - cas logout page itself

REQUEST HEADERS

  • Host: dev:8552
  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
  • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • Accept-Language: en-us,en;q=0.5
  • Accept-Encoding: gzip, deflate
  • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  • Connection: keep-alive
  • Referer: http://dev.service.net/
  • Cookie: JSESSIONID=8A68F008825A0F0D14C6BF803E1332CF; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true

RESPONSE HEADERS

  • Server: Apache-Coyote/1.1
  • Pragma: no-cache
  • Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • Cache-Control: no-cache, no-store
  • Content-Type: text/html;charset=UTF-8
  • Content-Language: en-US
  • Content-Length: 1226
  • Date: Thu, 20 Oct 2011 15:53:57 GMT

3rd REQUEST - we are retuninig to the page which actually should redirect us to login page, but it does not.

REQUEST HEADERS

  • Host: dev.service.net
  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
  • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • Accept-Language: en-us,en;q=0.5
  • Accept-Encoding: gzip, deflate
  • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  • Connection: keep-alive
  • Cookie: JSESSIONID=53B9469EFE9F130E9694F7406BFAB755

RESPONSE HEADERS

  • Server: Apache-Coyote/1.1
  • Pragma: no-cache
  • Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • Cache-Control: no-cache, no-store
  • Content-Type: text/html;charset=UTF-8
  • Content-Language: en-US
  • Content-Length: 1226
  • Date: Thu, 20 Oct 2011 13:30:51 GMT
1
firefoxauthenticationtomcatcas
Which version of Firefox? Do you have a live link to the site? - Matt Ball
@Matt Ball, provided this information in question. Thank you for noting it. - shabunc
How exactly do you logout? Do you invalidate the session? Can you provide HTTP request and response headers of the logout and the subsequent request wherein you got apparently auto-logged-in? You can collect them using Firebug. - BalusC
@BalusC - provided header, updated question. - shabunc
That are alone the request headers. Please provide response headers as well. Also please provide the headers of the subsequent request/response. - BalusC

1 Answers

2
votes

According to the headers, you're maintaining two different sessions on two different hosts. When you request a logout on the first host, you're redirected to the second host (which uses a different session cookie). The session cookie of the second host is in turn indeed invalidated (according to the presence of the Set-Cookie header). But based on the last request, the session has not been recreated on the server side (there is no Set-Cookie header). This means that session.invalidate() before response.sendRedirect() has failed somehow, or that the page is actually requested from the browser cache.

In Firebug you should be able to see if the page is requested from the browser cache by checking the text color of the request in the Net tab. If it's grayed out, then it means that it's been served from the browser cache. For Firefox, the must-revalidate header is actually mandatory next to the no-cache, no-store headers. You need to configure your server to add that entry to the header, or to change/create a Filter for that.

See also: