Default triggers for implicit logouts changed in WebSphere Portal v8

In previous versions of WebSphere Portal, if the Configuration Service property uri.home.substitution were set to false (the default value), the server would log off any authenticated user who requested an unprotected resource. Consider the scenario:

1. You navigate the site under the personalized home (protected context, commonly; wps/myportal, by default) as an authenticated user. Each of these requests arrive at the server with an LTPA token (LTPAToken2) as the single sign-on (SSO) cookie.
2. You request some resource under the default home (unprotected context, commonly; wps/portal, by default).
3. WebSphere Portal logs you out. WebSphere Portal considers this an implicit logout, so any filters on the implicit logout filter chain fire. The request from (2) is served a response with a header like the following, to remove the LTPAToken2 cookie from the browser's cookie store:

WebSphere Portal v8 does not log you off at (3), by default. Instead, it just serves you the resource under the default home. Since LTPAToken2 has not been expired, WebSphere Portal still considers you logged in the next time you request a resource under the personalized home.

A new Configuration Service property, logout.user.onpublic, controls this behavior. To restore the functionality of previous versions and implicitly log off users in the scenario above, set the Configuration Service (Resource Environment Provider - WP ConfigService) property:

logout.user.onpublic = true
(Type: java.lang.String)

Verify that:

uri.home.substitution = false

or that uri.home.substitution is not set (false is the default). Refer to the link below for instructions on setting and verifying service configuration properties.

Note: If uri.home.substitution were set to true, then any authenticated requests for resources under the default home would be redirected to the personalized home. This remains the same as in previous versions.