Sadly, no.  I ended up going with cookie invalidation by running OpenDocument and the web application via the same load balancer, but using different paths for each.

E.g. this code in the web application which forwards users to OpenDocument

Cookie deletionCookie = new Cookie(JSESSIONID, "");

deletionCookie.setPath("/BOE");

deletionCookie.setMaxAge(0);

response.addCookie(deletionCookie);

Thankfully, user licenses aren't a problem for us.

Prithvi,

Thanks for the response.  I have verified that you are correct that the WCA token doesn't increase the session count which is good (I suspect that using a serialized session also avoids this problem).

Of concern is that even after invalidating WCA session tokens or logging off the originating enterprise session it's still possible to continue to use the OpenDocument launched session from within the same browser.

That is to say, the following appears possible:

1. Create an enterprise session for a user and obtain a WCA logon token (or a default logon token)

2. Redirect them to the OpenDocument JSP in an iframe

3. User ends up spawning multiple windows (e.g.) and looses track of the window with the WebI document in it (they forget about it).

4. User logs out of the containing web application, which executes the following code[1] to invalidate any WCA logon tokens as well as well as logoff the IEnterpriseSession:

5. Another user starts using the computer and discovers the previous user left a WebI report open.

Admittedly, this is not a very common scenario, but I think that the WebI report accidentally left open (although it might contain some visible information in it) should not allow any new server side requests to be executed for it.  That's not what I'm seeing here.  It appears that the JESSIONID cookie isn't invalidated immediately and you can continue to use the existing report window to do anything like modifying an existing report, opening a saved report, creating a new report, etc.

Basically, I think the bug is that the following code[1] should invalidate the session (JSESSIONID) established for the OpenDocument request?  Barring that change being made, it would be nice if there could be a logoff page that doesn't require CSRF (even if it's disabled by default) so that containing web applications could handle the logoff on their own in an asynchronous request.  Most organizations using OpenDocument probably are willing to live with the security ramifications of allowing logoff without the CSRF token, even if theoretically it could be leveraged into a DOS attack.

[1]

    //close the BO session.

    if (boSession != null) {

      try {

        for(String token : oneTimeTokens) {

          boSession.getLogonTokenMgr().releaseToken(token);

        }

      } catch(SDKException se) {

        cat.error(se);

      }

      try {

        boSession.logoff();

      } catch (IManagedService.ManagedLogoffException mle) {

        if(cat.isDebugEnabled()) {

          cat.debug(mle);

        }

      }

      boSession = null;

    }

  }

Phil,

Thats a good observation. Can you please let me know the BO Product version with pathes (if any), so that I can check the behaviour.

A WCA token should get invalidated automatically, if the enterprise session which created is logged of.

Thus, Can you check after logoff on the open window if you are able to navigate pages in the report?

- Prithvi

Prithvi,

Thanks for the response and for looking into this.  This is on 4.1 SP3, I believe Fixpack 2 (although I doubt that matters).

I get the same behavior if I use createWCAToken() or getSerializedSession().  After logging off the enterprise session I can continue to use the WebIntelligence viewer to do stuff (navigate pages, open new documents, etc.).  The CMS and Web Intelligence server are running on the same machine if this matters.

I suspect that the token invalidation is working in at least some level in the CMS since I can see the "Number of Sessions Established By All Users" metric decrease appropriately after logging off the enterprise session.  My best guess is that whatever code actually invalidates user sessions when someone clicks the Logoff link in InfoView/Launchpad isn't being called (e.g. by an appropriate listener).

Anyways, good luck with it.  I'll probably post a hacky workaround to this thread when I have one.  I suspect I'll be loading custom.jsp in an async or hidden request and have it either perform session invalidation or redirect to the logoff screen with the bttoken.  If worse comes to worse I can just blow away the session cookie .

Was kind of surprised that this didn't work, but I guess you guys manage your sessions using something beyond HttpSession.

<%@ taglib prefix="rs" uri="http://www.businessobjects.com/resource/rs" %>

<rs:doctype />

<%@ page language="java" contentType="text/html;charset=utf-8" %>

<%@ page import="com.businessobjects.bip.core.web.appcontext.RequestInfo" %>

<%@ page import="javax.servlet.http.HttpSession" %>

<%@ page import="com.businessobjects.webutil.clientaction.CafParameters"%>

<%

  if(Boolean.parseBoolean(request.getParameter("invalidateSession"))) {

    HttpSession existingSession = request.getSession(false);

    if(existingSession != null) {

      existingSession.invalidate();

    }

  }

%>