Session Not Properly Terminated On Logout

Document ID : KB000098847
Last Modified Date : 13/06/2018
Show Technical Document Details
Issue:
The application does not properly terminate the user's session on the server when the user logs out. This could provide an attacker with prolonged access to the application if they are able to obtain the user's session token by other means, such as intercepting network traffic, cross-site scripting (XSS) or cross-site tracing (XST). In addition, an attacker who discovers a user has left their browser open may be able to hit the "back" button after a user has logged out and access all functionality in the application.

It normally happens when the browser is Firefox. When using Firefox and hitting the "logout" button the end users gets the popup regarding "logging out from BOXI", but it hangs. The application does not properly terminate the user's session on the server when the end user logs out.
Environment:
Service Desk 17.1
Service Desk 17.0
Service Desk 14.1
Cause:
Hitting F12 to bring up the console, it shows that the URL has been blocked due to insecure content. It is because they have SSL set up for IIS, but not for tomcat, and the browser is blocking the connection from a secure connection to a non-secure one. Firefox is preventing mixed content.
Resolution:
Review the @NX_SERVLET_SERVER_URL variable.

Assuming Service Desk environment is configured as SSL, make sure the NX_SERVLET_SERVER_URL reflects the SSL configuration i.e. using HTTPS and default SSL port (8443).