Session termination of a CSP REST application

Question

Question

Giray Ozel · Jul 10, 2018

I have a CSP REST web application where I'm using delegated authentication via basic authentication in the REST calls. When I do a call to the web app with correct user credentials, I get a CSPSESSIONID cookie back representing the CSP session, which has started for the user I'm logged in with.

And when I want to log out/end the CSP session with the "CacheLogout=end" query parameter, I get a 401 Unauthorized code back. But the csp session itself does get terminated, which means the logout call was successful.

Is there a way to have it return a 200 OK status code? Should I be looking at EndSession property of the CSP session instead of using the query parameter?

Discussion (3)0

Log in or sign up to continue

David Crawford · Jul 10, 2018

I use a similar setup with some projects, albeit not with delegation. But appending the param to my url has never given me 401 messages. What kind of permissions do you have setup for your web app? If you manually insert this param at any point in the app, does it always give 401? Are you still redirected to your login page? Where are you capturing the 401, or is it sent on its own?

0 0

score 0 · Answer 1 · 2018-07-10T11:56:03-04:00

No concrete permissions if you mean permitted classes in the web app configuration.

It always gives 401.

I don't redirect to a login page since it is part of a custom application.

It is sent on its own.

score 0 · Answer 2 · 2018-07-10T12:18:56-04:00

Have you been able to reproduce this in essentially an empty delegated web app? If it works there then we know it's probably just a logic problem with your code.

The next thing I would try for nailing down the culprit is looking at where the 401 is generated. %CSP.Rest on its own contains two functions that output 401 errors, Page and Login. I'm brainstorming now, but if it's coming from Page, I'd think your logic is trying to load something after being logged out (a login page it can't find maybe?), and if it's from Login, that'd be odd to me but probably something in your logic trying to immediately log back in with empty or bad credentials.

If you're able to see those 401 calls being fired in the rest class, try overriding the functions and capturing more information from them to see what's really going on and why they're being called with improper authentication.