Jan-Willem Gmelig Meyling created ISIS-1434:
-----------------------------------------------
Summary: Cookie not cleared after logout, Shiro session remains
active
Key: ISIS-1434
URL: https://issues.apache.org/jira/browse/ISIS-1434
Project: Isis
Issue Type: Bug
Components: Core: Security: Shiro
Affects Versions: 1.12.1
Environment: OSX
Reporter: Jan-Willem Gmelig Meyling
Assignee: Dan Haywood
Priority: Minor
I have some files that I have stored in the resource folder, which I only want
to be available for authenticated users. So I have added the following contents
to my shiro.ini file:
```
[main]
authc.loginUrl = /wicket/signin
[urls]
/dist/** = authc
```
When I am not authenticated, retrieving a page from that folder correctly
brings me to Wicket. After logging in, the resource becomes available. However,
when I log out, either through the TertiaryActionsPanel in Wicket, or using the
logout call from the UserResource, it seems that my cookie is not cleared. I am
logged out from Wicket, but I can still access the resources (until I clear my
cookie on client side).
In this case i'm trying to protect a few resources, which is a kind of
ridiculous use case, but I think that this also applies for other servlet
filters, which may lead to some unwanted results.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
