Oracle Application Server 10.1.2 : SSO Session and Application Session

We had successfully configured an application deployed in Oracle AS 10.1.3.x to use Oracle AS 10.1.2 SSO. We were trying to develop "single sign off" and we hit a bug.

We just figured out that the Oracle AS 10.1.2 Session and the Java Application Session are different.

The Oracle AS 10.1.2 Session is maintained by the SSO_ID cookie. As long as the SSO_ID cookie is present in the browser, the Oracle AS SSO "session" is maintained. The SSO session is killed only if the SSO_ID cookie is destroyed. The SSO_ID cookie is "killed" only when we issue this dynamic directive:-

response.setError(499, "Oracle SSO");

However, the java application session ( a HTTP Session) still lingers on. Hence, in order to clear the java application session, we need to invalidate it explicitly using this :-

session.invalidate();

The moral of the story - for a true "Single Sign Off", we need to invalidate the SSO "session" and the Java Application Session.