000021189 - Viewing RSA ClearTrust logout page does not log the user out

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021189
Applies ToRSA ClearTrust Agent 3.0.2 for IIS
RSA ClearTrust Agent 4.0 for Sun ONE Web Server 6.0
IssueViewing RSA ClearTrust logout page does not log the user out

When an already authenticated user views the configured ClearTrust logout page, the Agent does not log the user out; the user is able to continue to access ClearTrust-protected resources even after logging out

When not using forms-based login with Basic authentication, the user still appears to be logged in after viewing the ClearTrust logout page; the user can continue accessing protected pages without re-entering their username and password and re-authenticating themselves

If cleatrust.agent.form_based_enabled is set to True/Yes, logout works correctly

Not being able to log out is a limitation of how non-form-based authentication works. This is a limitation of the HTTP protocol wherein the Basic authorization header cannot be cleared by the server after being set during a browser session. Upon accessing a protected page, the browser may silently resubmit the cached authentication credentials obtained previously in the session, thus making it seem as if the user never logged out.

The user must close the browser application to flush the stored user credentials. 
This does not happen with ClearTrust forms-based login because the user credentials are handled entirely by the the ClearTrust Agent, and are explicitly flushed by the agent when the logout page is accessed.
ResolutionForms-based login may be used to allow more control over session timeout and being able to logout. If non-forms-based authentication must be used, a stronger message on the logout page can be added to inform the user they should close the browser to clear any username and password information.
WorkaroundThe following parameter was set in webagent.conf:

    cleartrust.agent.form_based_enabled = False/No
Legacy Article IDa21558