Symantec Access Management

Expand all | Collapse all

Access Gateway REST Call - Logout not invalidating Session Token

Jump to Best Answer
  • 1.  Access Gateway REST Call - Logout not invalidating Session Token

    Posted 08-31-2017 07:07 PM

    Working on the Access Gateway web services (AuthN/Az) and having issues with the logout. When i invoke the rest login service and access the protected resource, i received token successfully. After that, i invoke the rest logout service and tried again to hit the protected resource. Instead of getting a 401 error like i would expect, I was able to pass through and access the resource.

     

    Digging further into product doc, it turns out that logout service will not invalidate the token. 

     

     

    https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/ca-access-gateway-configuration/configuring-the-authentication-and-authorization-web-services

     

     

    Are there additional configurations that need to be done to make sure the session token is invalidated after passing it to the logout service?



  • 2.  Re: Access Gateway REST Call - Logout not invalidating Session Token
    Best Answer

    Posted 08-31-2017 07:18 PM

    To invalidate the session token after logout you will need to implement session store and ensure that the session is persistent.

     

    Also, have shorter session validation period to ensure that the agent sends the request to policy server for validation.



  • 3.  Re: Access Gateway REST Call - Logout not invalidating Session Token

    Posted 08-31-2017 09:12 PM

    To add to the answer that Ujwol added,

     

    Firstly yes the REST api logout call is more related to session store usage, where it will delete the entry from the session store.  In the webagent (non REST call mode) the main purpose of the logout call, in addition the the session store use,  is to delete the SMSESSION cookie. 

     

    But the SMSESSION cookie does have it's own expire idle timeout built into it, the webagent when it receives a request decrypts and decodes the SMSESSION and checks if the idle timeout has expired before processing the request.

     

    So after the logout call, the SMSESSION cookie is only valid for that moderately short idle timeout period and will then expire. 

     

    Cheers - Mark

    BTW: Even with session store usage, it takes some time for the deleted session to be flushed to all policy servers and webagents, - so there too there is a small period of time (smaller than idle timeout, but still small period time) when it will be accepted (ACO settings can adjust that time, and setting Az cache to 0 will mean agent checks the policy server each  time) . 



  • 4.  Re: Access Gateway REST Call - Logout not invalidating Session Token

    Posted 09-01-2017 09:17 AM

    Complementing Mark.ODonohue answer,

    If you're using a front-end app to consume the webservices from Access Gateway, what we usually recommend is to also delete the SMSESSION cookie from client's browser when calling the logout webservice.



  • 5.  Re: Access Gateway REST Call - Logout not invalidating Session Token

    Posted 10-05-2017 01:09 PM

    Deployed the fix provided by CA Support and that fixed the webservices logout issue. The fix contains 2 files: libSPS60Agent.so and libSPSPlugin.so

     

    I hope this fix will make it in the next release of access gateway.



  • 6.  Re: Access Gateway REST Call - Logout not invalidating Session Token

    Posted 10-05-2017 01:11 PM

    Makesh 

     

    Could you reconfirm was the fix provided for logout work with or without Session Store?



  • 7.  Re: Access Gateway REST Call - Logout not invalidating Session Token

    Posted 10-05-2017 01:23 PM

    It works with Session Store and a combination of short idle/max timeout period.



  • 8.  Re: Access Gateway REST Call - Logout not invalidating Session Token

    Posted 10-05-2017 01:25 PM

    Thank You Makesh.



  • 9.  Re: Access Gateway REST Call - Logout not invalidating Session Token

    Posted 10-05-2017 08:30 PM

    Hi Makesh, Can you share the rally ticket number ? I would like to verify what the issue was and what has been done to fix it ?



  • 10.  Re: Access Gateway REST Call - Logout not invalidating Session Token

    Posted 10-05-2017 11:03 PM

    I just emailed you the ticket number.