Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

How to resolve users being unable to log out after configuring a Token-Based SSO

Written By

Isaac Wilson

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • After configuring and enabling a Token Based SSO in our 7.2 environment (upgraded from 7.0), users are now unable to log out, and they are instead redirected to the home page (still logged in). In our 7.0 environment using the same SSO configurations, our users were logged out as expected and redirected to the third party SSO's login screen.
  • When examining the cookies during a logout attempt via a .har file, we can see that the original SMSESSION cookie using a superdomain (.website.com) is not being cleared. We also see that the "Set-Cookie" process is setting a blank value in the logout response (to clear the cookie, as expected), however it is instead doing so for the subdomain of sub.website.com.

Environment

  • DXP 7.1, 7.2, 7.3
  • Application Server: Tomcat 8.5+

Resolution

  • To resolve the issue, the SMSESSION cookie generated when a user logs out needs to match the domain of the existing cookie, in this case present for the superdomain of .website.com. This can be done via either of the following portal properties: 
    session.cookie.domain=.website.com

    or

    session.cookie.use.full.hostname[tomcat]=false
  • In addition to the above configuration within Liferay, it will also be necessary to configure Tomcat to use a CookieProcessor that supports dot-prefixed domains (such as .website.com), via a configuration within the application server's context.xml such as: 
    <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

Additional Information

  • As described in this third-party documentation for domain attributes of cookies, a cookie for a given domain will be usable on all subdomains. However, the reverse would not be true, as a cookie for a given subdomain is not usable on superdomains. In this case, since the original SMSESSION cookie is for the superdomain, the existing cookie wasn't originally being cleared, as it exists on the superdomain of .website.com (outside of the sub.website.com subdomain).
  • The additional Tomcat configuration steps are necessary as the default value for the session.cookie.use.full.hostname property is changed to true in DXP 7.1+, to accommodate Tomcat 8.0's introduction of a CookieProcessor class and Tomcat 8.5's new Rfc6265CookieProcessor class (which processes the cookies being added to requests/responses). When using the Rfc6265CookieProcessor class, dot-prefixed Cookie domains cannot be used in its set cookies, so use cases that require this will also require configuration within Tomcat to use a CookieProcessor that supports dot-prefixed domains.

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?