Hi Team, CAS Single Logout does a Http URL Connection to all the registered services and does a logout request (SAML Post). The individual applications invalidates the sessions identifying the logout request. In order to identify the session of the user from the logout request (SAML Post) we do a re-writing of jsessionid as part of service URL when the user gets redirected to CAS login page. The service URL now contains jsessionid and which is stored in CAS map. The CAS Login URL looks like https://domain.com/cas/login?service=https://domain.com/secureapp/j_acegi_cas_security_check;jsessionid=3D22FCE59C96D860823828FAA2EA6FD84B please note that the service URL contains jsessionid which will be used to identify and invalidate the session in the individual application.
This works as expect but I request you to validate the approach of passing/re-writing jsessionid as part of service URL. If this approach has security vulnerability, please explain and suggest the best approach for Single Logout. Thanks in advance. Thanks & Regards, Gokula -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
