views:

40

answers:

1

When I log out of an application on WebSphere and back on, the LTPA token is unchanged. I thought it would change because session tokens are supposed to be unpredictable.

A: 

Hi,

What do you when you log out of your application?

Are you invalidating the LTPA cookie?

If not, the browser has the LTPA cookie which tell the APp Server that you are authenticated as far as it is concerned.

Do not assume that session ID and HTTP Sessions and LTPA are one and the same.

HTH Manglu

Manglu
Also refer to:http://download.boulder.ibm.com/ibmdl/pub/software/dw/wes/pdf/0611_botzum-WAS-60-security-programming-hints.pdfThis does not provide you the exact answer to your question but does provide broad info that is useful for you.Using ibm_security_logoutURL is a good option to logout and remove the LTPA cookie from the browser.HTHManglu
Manglu