OPENAM-13836 was committed there has been an issue with the session time out where by multiple calls are being made to session endpoint to logout.
The change in
OPENAM-13836 was required to insure the Configuration.loggedUser was not deleted from the UI until after a user was able to successfully log out. This was the correct solution, however the knock on is that when a session token times out, or is revoked, or deleted, the XUI is using the Configuration.loggedUser object as a guard to stop the logout functionality from being triggered multiple times.
The way the session timeout works in the UI is that upon getting a 401 the user is logged out sessions?_action=logout and sent to the session timeout view. Without the working guard, this endpoint will be hit once per failed rest call.
One example might be an Admin who decides to revoke all the sessions in a realm due to high demand. The result will be an increase in rest calls, not as decrease.
- Login as demo
- Open the browser console and delete the session cookie
- Navigate to the user Dashboard
Shouldn't be difficult to resolve. We just need to use a different variable as the guard.