Fix (APAR):  PI57465

Status:  Fix

Release:  8.5.5.9,8.5.5.8,8.5.5.7,8.5.5.6,8.5.5.5,8.5.5.4,8.5.5.3

Operating System:  AIX,HP-UX,IBM i,Linux,Solaris,Windows,iOS,z/OS

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  1262433

Date: 2016-06-23

Abstract:  oidc: remove session cookie after logout

Description/symptom of problem:  
PI57465 resolves the following problem:

ERROR DESCRIPTION:                                              
OIDC session cookie is not removed after logout.  You can still 
see the cookie in the browser after logout.                     

LOCAL FIX:                                                      
No                                                              

PROBLEM SUMMARY

USERS AFFECTED:
 IBM WebSphere Application Server users of
OpenID Connect

PROBLEM DESCRIPTION:
The OpenID Connect Relying Party does
not delete its cookies on logout

RECOMMENDATION:
 Install a fix pack that contains this APAR

The OpenID Connect (OIDC) Relying Party (RP) session cookie,
OIDCSESSIONID_(clientId), remains after logout.  This cookie
should be deleted upon logout.

PROBLEM CONCLUSION:                                             
The OIDC Relying Party is updated to support logout through     
the HttpServletRequest.logout() Java API call. This API call    
will clear the LtpaToken2 and any other cookies the OIDC        
RP created.                                                     
                                                                
Note that logout through the deprecated revokeSSOCookies()      
method and through the ibm_security_logout servlet is not       
supported for the OpenID Connect Relying Party.                 
                                                                
The fix for this APAR is currently targeted for inclusion in    
fix packs 8.0.0.13 and 8.5.5.10.  Please refer to               
the Recommended Updates page for delivery information:          
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   
                                                                
Keywords: IBMWL3WSS, OIDC                                       


Directions to apply fix:  Fix applies to Editions:
Release 8.5
_x_ Application Server (Express or BASE)
_x_ Network Deployment (ND)
__ Liberty Core
__ Edge Components
__ Developer

Install Fix to all WebSphere installations unless special instructions are included below.

Special Instructions: None

NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required.

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before applying the iFixes.  Restart WebSphere Application Server after applying the iFixes.

Directions to remove fix:  

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before removing the iFixes.  Restart WebSphere Application Server after removing the iFixes.

Directions to re-apply fix:  
1) Shutdown WebSphere Application Server.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server.



Additional Information: