We're running into a problem with the use of OpenDocument. Specifically, after a user is done using a WebI we'd like to logoff and invalidate their session. The logical thing to do would be to redirect their browser to the Logoff URL used when you click Log Off from the SAP Dashboard.
Unfortunately, this URL (e.g. http://hostname:8080/BOE/portal/1407311547/InfoView/logon/logoff.do?bttoken=<token>) appears to require a form of CSRF (something called the bttoken) which if omitted doesn't allow the logout to work.
I was wondering if anyone else had come up with a good solution to this problem?
SAP claims this isn't being addressed in older KB issues 1384496 & 1437785 although they provide a workaround for the problem in 1897531 which only works for BO 3.1.
Not logging off the user when they're done using the WebApp rendering the WebI isn't the end of the world, but it would be very nice to do (reset state, free up resources on BO server, free up in-use licenses, allow BO user preferences e.g. locale to take effect without waiting for a session timeout).
====
Incidentally, as a bit of a surprise to me, the following code and redirecting the user to the OpenDocument URL with a logonToken establishes two separate sessions. Calling logoff() on the boSession below will close out the first session, but doesn't effect the OpenDocument session at all.
final ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();
ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal(boUser, boServer, boSharedKey);
IEnterpriseSession boSession = sessionMgr.logon(trustedPrincipal);
String logonToken = boSession.getLogonTokenMgr().getDefaultToken();
// Redirect user to OpenDocument/opendoc/openDocument.jsp with token=logonToken