[
https://issues.apache.org/jira/browse/ISIS-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Haywood updated ISIS-1434:
------------------------------
Fix Version/s: 1.13.0
> Cookie not cleared after logout, Shiro session remains active
> -------------------------------------------------------------
>
> Key: ISIS-1434
> URL: https://issues.apache.org/jira/browse/ISIS-1434
> Project: Isis
> Issue Type: Bug
> Components: Core: Security: Shiro
> Affects Versions: 1.12.1
> Environment: OSX
> Reporter: Jan-Willem Gmelig Meyling
> Assignee: Dan Haywood
> Priority: Minor
> Fix For: 1.13.0
>
>
> I have some files that I have stored in the resource folder, which I only
> want to be available for authenticated users. So I have added the following
> contents to my shiro.ini file:
> {code}
> [main]
> authc.loginUrl = /wicket/signin
>
> [urls]
> /dist/** = authc
> {code}
> When I am not authenticated, retrieving a page from that folder correctly
> brings me to Wicket. After logging in, the resource becomes available.
> However, when I log out, either through the TertiaryActionsPanel in Wicket,
> or using the logout call from the UserResource, it seems that my cookie is
> not cleared. I am logged out from Wicket, but I can still access the
> resources (until I clear my cookie on client side).
> In this case i'm trying to protect a few resources, which is a kind of
> ridiculous use case, but I think that this also applies for other servlet
> filters, which may lead to some unwanted results.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
