Unable to Log Out User Sessions of Application Systems When Calling Global Logout
# Problem Description
When an application system integrates with the IDaaS authentication service using standard protocols such as OAuth2 and OIDC, and after the administrator adds the application system's logout URL in the IDaaS Enterprise Center's application configuration, application developers often encounter the following scenarios where user sessions of the application system cannot be logged out when calling global logout.
- Sign-out initiated by IDP-initialed: The user first logs into the IDaaS User Center, then accesses application systems App1 and App2 within their authorized scope. When the user clicks "Unified Logout" in the IDaaS User Center, only the SSO session information is invalidated, but the user sessions of the application systems are not synchronized for logout.
- Sign-out initiated by SP-initiated: The user first accesses the target application system App1 after IDaaS authentication, then continues to access App2/3/N. When the user clicks logout in an application system (which has integrated global logout), besides successfully invalidating the SSO session and the current application system's user session, the user sessions of other business systems are not synchronized for logout.
# Root Cause
1. The logout URL configured for the application system uses the HTTP protocol, not HTTPS.
Since the IDaaS service uses the HTTPS protocol for requests, when the IDaaS unified logout page calls the application system's HTTP protocol logout URL, the browser considers this request insecure and blocks it, causing the logout of the application system's user sessions to fail.
2. In cross-site requests, when IDaaS calls the application system's logout URL, the application system cannot retrieve the current user's cookie for that system.
In cross-site requests, when Zhuyun IDaaS calls the application system's logout URL, the browser restricts carrying cookies. The application system cannot identify the user identity logged into the current business system, resulting in the failure to log out the user session of the business system.
# Solution
1. The application system must be accessed using the HTTPS protocol.
2. In cross-site scenarios, set the server's cookie attribute SameSite to "None; Secure", declaring that cookies can be sent regardless of cross-site or same-site.
Example of setting Cookie using Java HttpResponse.addHeader():
response.addHeader("Set-Cookie", "CookieName=CookieValue;SameSite=None;Secure");
2
3
Important Notes:
- The HTTP interface does not support
SameSite=None. If you want to add theSameSite=Noneattribute, the cookie must also include theSecureattribute, indicating that the cookie will only be sent under the HTTPS protocol. - Newer versions of Safari have "Prevent cross-site tracking" enabled by default, which blocks cross-site access to third-party cookies. In other words, even if the application server sets
SameSite=None; Secure, the Safari browser may not allow cookies to be carried in requests. For related information, refer to: Safari Blocking Third-Party Cookies Prevents Retrieval of User Login Status
3. Use Nginx or other gateway tools for proxy operations to convert cross-site requests into same-site requests.
# Related References
# SameSite Attribute
SameSite is one of the attributes of the HTTP response header Set-Cookie. It allows declaring whether the cookie is restricted to first-party or same-site contexts.
SameSite can have the following three values:
- Strict: Only allows first-party requests to carry cookies, meaning the browser will only send cookies for same-site requests, i.e., when the current webpage URL exactly matches the request target URL.
- Lax: Allows some third-party requests to carry cookies.
- None: Cookies are sent regardless of whether the request is cross-site or same-site.
Previously, the default was None. After Chrome 80, the default is Lax.
Lax behavior is shown in the table below:
| Request Type | Example | Normal Behavior | Lax Behavior |
|---|---|---|---|
| Link | <a href="..."></a> | Sends Cookie | Sends Cookie |
| Preload | <link rel="prerender" href="..."/> | Sends Cookie | Sends Cookie |
| GET Form | <form method="GET" action="..."> | Sends Cookie | Sends Cookie |
| POST Form | <form method="POST" action="..."> | Sends Cookie | Does Not Send |
| iframe | <iframe src="..."></iframe> | Sends Cookie | Does Not Send |
| AJAX | $.get("...") | Sends Cookie | Does Not Send |
| Image | <img src="..."> | Sends Cookie | Does Not Send |
When sameSite is set to Lax, cross-site requests from post, iframe, ajax, and image will not send cookies.