Cannot remove cookies SMSESSION, PHPSESSID, in Siteminder

Question

I have implemented Siteminder SSO Login. Everything works fine, but I am not able to remove the cookies SMSESSION, and PHPSESSID. I have read the other questions and tried the code, but all to no avail. The code I am using currently is:

        <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1">
   <script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.2.26/angular.min.js"></script>
   <script language="JavaScript">
    function delCookie() {
    alert("inside delete cookie");
         var expireNow = new Date();
          document.cookie = "SMSESSION=; expires=Thu, 01-Jan-70 00:00:01 GMT; domain=.<domain>.<com>; path=/";
         document.cookie = "SMTRYNO=0; domain=.<domain>.<com>; path=/";
         document.cookie = "JSESSIONID=; domain=.<domain>.<com>; path=/";
         document.cookie = "sapj2ee_*=; domain=.<domain>.<com>; path=/";
         document.cookie = "MYSAPSSO2=; path=/";
         document.cookie = "SMSESSION=NO; domain=.<domain>.<com>; path=/";
    //     alert(document.cookie);
    location.href = "http://www.<domain>.<com>";
    }
   </script>

Any help would be appreciated! PHP code for removing cookies added below:

//remove session vars
session_unset();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) { 
    $params = session_get_cookie_params();
    setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}


//try for SMSESSION
//$params = session_get_cookie_params();
//setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));

$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
    foreach($cookies as $cookie)
    {
        $mainCookies = explode('=', $cookie);
        $name = trim($mainCookies[0]);
        setcookie($name, '', 1);
        setcookie($name, '', 1, '/');
    }


// Finally, destroy the session.
session_destroy();

This removes all cookies and session vars, apart from SMSESSION.

Answer 1

First, deleting those cookies is a very bad idea/practice.

1) For the PHPSESSIONID cookie, you just have to destroy your session. Documentation here

2) SMSESSION is handled by the SiteMinder web agent installed on your application server. You must not mess with it. If you want to destroy the SiteMinder session, just redirect the user to the logout url of your siteminder setup.

Answer 2

Are the cookies set to HttpOnly. If that is the case, Javascript will not be able to modify/delete the cookies. To check if the cookies are HttpOnly one of the easier ways would be to check the cookies status in the Cookie view of Firebug.

You can also create a server page in PHP and delete the cookies in that page. When the page is called the server would response with Set-Cookie headers which would set the cookie validity to -1.

It is not a good idea to use JavaScript to clean up session cookies since the logic is sent to the browser rather than being on the server.

If you are trying to logout from SiteMinder, you can also look at using the logoffuri parameter in the ACO which specifies the resource that is the SM logout URL. Please note that if the resource is accessed, the SMSESSION cookie value is set to LOGGEDOFF, but the other application session cookies like PHPSESSID etc will not be deleted.

Hope this helps Avi

Answer 3

I don't think it is a good idea to remove the HttpOnly flag from the cookie. The flag ensures that scripts on the page cannot read the cookie. It is a very bad idea to let Javascript delete the SMSESSION cookie, and you should not use JS in logout also.

The reason you are not able to clean up the cookie from the server may be because of the cookie domain. If you are using a tool to trace the request you should be able to see the domain of the SMSESSION cookie in the request and response. If the domains do not match, even though you are sending a invalidate cookie header, the browser will not delete the cookie. Typically for a a.b.c domain name, the application cookie(PHP session etc.) would be mapped to a.b.c, but SiteMinder cookies are mapped to b.c domain.