IBM Verify

 View Only

 Prevent ISVA from replacing old pd-session cookie

Simon Elker's profile image
Simon Elker posted Tue December 17, 2024 09:36 AM

Hello!

We have an issue that when an user logout we have an pd session cookie in the browser which is not "logged in"
When we then use a token to login the old pd-session will be swapped for a working one by IBM ISVA. Is it possible to prevent this from happening?
We still need to keep both token and cookie login flows to work. 

    Philip Nye's profile image
    Philip Nye posted Sun January 05, 2025 11:03 PM

    What token do you refer to? 
    Ie what are you logging in with? 

    You can create a session while they are unauth:
    # Should sessions be established for access to unprotected resources?  This
    # configuration item is useful when a consistent session identifier is
    # required for clients as they transition from unauthenticated to
    # authenticated.
    create-unauth-sessions = no

    But - i'm not sure I understand why you want to keep an old one around. 

    You could get rid of any 'logged out' cookies:

    # Remove the WebSEAL session cookie on logout
    logout-remove-cookie = no

    But an expired session may still have an old cookie in the browser if they didn't explicitly log out. 

    Related Content