This topic contains 1 reply, has 2 voices, and was last updated by  Andy Cory 1 year ago.

  • Author
  • #20866

    What is a proper way to logout a user if we use AM to protect a website? REST call can invalidate a session in OpenAM, but does it clear the cookie as well? What happens if next time user come back and login again with the previous invalidated cookie? Thanks.

     Andy Cory 

    If the session ID in the cookie points to an invalid sessions token, the behaviour will be the same as if there were no cookie. The user will get a 403 not authorised response. Using the REST endpoint to invalidate a session will do nothing to the cookie, it is expected that the REST client clears the cookie value if desired, just as the REST client needs to create the cookie after authenticating.


Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?