Hi IS team, As informed offline we have faced [1] in ES. We understand that once we move to Identity core 4.5.1, cache expiration period can be configured in HOME/repository/conf/tomcat/carbon/WEB-INF/web.xml.
Even after the set cache expiration time or a session timeout (already set the cache expiration time to a higher value than the session timeout), we face the 405 issue where the logout flow breaks at the identity side (in the browser with the message *No Established Sessions corresponding to Session Indexes provided*) providing no clue to the application side. Hence the following approach was suggested for us to identify the existence of a valid session. We have following concern with the above suggested approach. Say we make the call1 and then receive the response 1 as the session still exists. But between the time that we make the call2, session gets expired. (since these are network calls and delays may occur.) So at that point we face the same original problem again. Isn't the proper approach is to send a logout response from the identity side with a proper message (no session exists) to the application side rather than breaking the flow in the middle? Are there any security vulnerabilities of sending a logout response to a non existence session? (assuming that a third party who never had a session at the IDP can still make a logout request) Appreciate your input. [1] https://wso2.org/jira/browse/STORE-721 Thanks, Tanya -- Tanya Madurapperuma Senior Software Engineer, WSO2 Inc. : wso2.com Mobile : +94718184439 Blog : http://tanyamadurapperuma.blogspot.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
