Clicking back button on browser after logout renders application data without need to login again

  • 7006281
  • 15-Jun-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
multiple LAG nodes running in same cluster

Situation

User has active session to Access Gateway and can browse all protected resources successfully. After logging out, the user is presented with a message that the logout is successful. However, when the same user clicks the back button the protected page data is rendered on the browser. The user does not need to re-authenticate to see the application data. The problem is not reproducible all the time, and does not occur in a setup where only one LAG exists in the cluster.

Resolution

Modify the logoutRetirementFrequency parameter in the /opt/novell/nesp/lib/webapp/WEB-INF/web.xml file on the LAG to include the following:

   <context-param>
        <param-name>logoutRetirementFrequency</param-name>
        <param-value>5000</param-value>
    </context-param>

When this parameter does not exist, it can take up to 60 seconds for all nodes in the cluster to become aware of logout requests. By dropping the parameter down to 5000, it reduces the time for all nodes to be updated with logout info to max 10 seconds. The side effect of such a change is the increased frequency of traffic between nodes in clusters updating each other with logout requests.