[keycloak-user] How to disable Tomcat JSESSIONID

shimin q shimin_q at yahoo.com
Mon Sep 18 14:33:36 EDT 2017


Hi,
I have several apps deployed in Tomcat 7, and use Keycloak to manage user login and logout of these apps.  Clicking on the Logout link does not log the user out and redirect to Keycloak's login page.  Then I found the JSESSIONID cookie is still present, once I deleted the JSESSIONID cookie, the logout link works as expected.  So I tried to disable Tomcat's session by putting
<%@ page session="false" %>

in the header of my app's JSP page. Unfortunately, this still does not disable Tomcat's session. I am wondering if anyone has a solution to this problem? I believe the presence of the Tomcat session interferes with the Keycloak's SSO session, and causes Keycloak logout link to not work. This has to be a common problem Keycloak users encounter, Tomcat is so widely used for web apps. How does Keycloak resolve the issue when its session conflict with Tomcat session?
Would appreciate any tips on how we should handle this!



More information about the keycloak-user mailing list