Container managed Authentication does not kill session
User is using Container Managed Authentication, when the User1 logged in to system and log out, the User1 session will not be terminated until close browser.
Steps to Reproduce
1. Configure system to Container Managed Authentication.
2. Log into system as User1 successfully.
3. Log off User1 and login by User2. System still show the current user is User1.
4. Alternatively, User1 log off, type the Pega URL in the same browser, system logs in to application automatically without prompt login screen. Application shows User1's profile. Sometimes, it is not able to find requester from SMA for container managed authentication user.
There was three level of authentication being done:
2) Container Managed Authentication (WebSphere)
3) PRPC (Contain Managed Authentication)
There was no logoff from PRPC being done when they clicked "Logoff". Changes were made to standard PRPC logoff to directly call the WebSEAL logoff.
With no logoff from PRPC the same session was being used. Also, logoff from the Container, WebSphere is also needed.
PRPC authentication is session based using a standard Session Cookie named Pega-Rules.
When using custom authentication one must logoff of PRPC to end the PRPC session and set the Pega-RULES cookie to "None".
Instead of modifying the Logoff links just use the standard PRPC logoff functionality.
Then add customizations to the Web-Session-Return HTML rule. This HTML is displayed after the user has been logged off of PRPC and the session cookie Pega-RUELS is set to "none".
Add redirects here to logoff of third party security software as required.