Logging out of CAS is designed to kill your single sign on session (not your individual application sessions) so that if you try and access another CASified application (that you haven't logged into yet) you will be prompted for your credentials again.
CAS uses secure cookies however, so if you access the Logout page via http instead of https your cookie will not be destroyed as it was never sent to the server. -Scott Kris Melotte wrote: > Is there a difference regarding logout when you are using http versus > https? > > I thought that the fact you can still login after the logout to an > (authenticated) application is because the JA-SIG client does not check > anymore with the CAS server after validation of the initial ticket. > > As the authentication information is already in the session of the SSO > authenticated application, the filter will pass you through without > checking again with the CAS server if the SSO is still valid. > > I thought that this behavior was the reason why the cas logout page > mentions to "exit your browser for security reasons"? > > Regards, > Kris > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia > Sent: Wednesday, July 26, 2006 2:16 PM > To: Mailing list for CAS developers > Subject: Re: [cas-dev] CAS logout > > Jennifer, > > Did you access the logout page via http or https? > > -Scott > > Jennifer Yang wrote: > > >> Hello, >> >> I am trying to implement logout. >> >> I found the following thread, but I am not seeing the same behavior. >> http://tp.its.yale.edu/pipermail/cas/2005-February/001010.html >> >> According to this, hitting /cas/logout should prevent the previously >> authenticated user from accessing another webapp without signing on >> again. Here is what I tried and the behavior. >> >> I have two webapps (using jsp-examples and servlet-examples supplied >> by Tomcat) both setup to use CASFilter. >> >> 1. I enter one of the jsp-examples url in the browser. >> 2. I get JA-SIG login page and I log in successfully. >> 3. I get redirected to the jsp-examples I was trying access in step 1. >> 4. I logoff via /cas/logout and get a JA-SIG "successfully logged >> > off". > >> 5. I enter one of the servlet-examples (a different webapp from step >> 1). I expected to get another JA-SIG login page, but I get my >> servlet-examples without being re-authenticated. >> >> Am I missing something? >> >> Also, what is the best way to implement single-sign-out? >> >> Thanks very much! >> --Jennifer >> >> ----------------------------------------------------------------------- >> > - > >> _______________________________________________ >> cas-dev mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas-dev >> >> >> > _______________________________________________ > cas-dev mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas-dev > > > _______________________________________________ > cas-dev mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas-dev > _______________________________________________ cas-dev mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas-dev
