|Applies To||RSA ClearTrust Agent 3.0.2 for IIS|
RSA ClearTrust Agent 4.0 for Sun ONE Web Server 6.0
|Issue||Viewing RSA ClearTrust logout page does not log the user out|
When an already authenticated user views the configured ClearTrust logout page, the Agent does not log the user out; the user is able to continue to access ClearTrust-protected resources even after logging out
When not using forms-based login with Basic authentication, the user still appears to be logged in after viewing the ClearTrust logout page; the user can continue accessing protected pages without re-entering their username and password and re-authenticating themselves
If cleatrust.agent.form_based_enabled is set to True/Yes, logout works correctly
Not being able to log out is a limitation of how non-form-based authentication works. This is a limitation of the HTTP protocol wherein the Basic authorization header cannot be cleared by the server after being set during a browser session. Upon accessing a protected page, the browser may silently resubmit the cached authentication credentials obtained previously in the session, thus making it seem as if the user never logged out.
The user must close the browser application to flush the stored user credentials. This does not happen with ClearTrust forms-based login because the user credentials are handled entirely by the the ClearTrust Agent, and are explicitly flushed by the agent when the logout page is accessed.
|Resolution||Forms-based login may be used to allow more control over session timeout and being able to logout. If non-forms-based authentication must be used, a stronger message on the logout page can be added to inform the user they should close the browser to clear any username and password information.|
|Workaround||The following parameter was set in webagent.conf:|
cleartrust.agent.form_based_enabled = False/No
|Legacy Article ID||a21558|