Hi. I have two applications that authenticate users using CAS. I have
configured the single sign out in both of them, via
SingleSignOutHttpSessionListener and SingleSignOutFilter. The problem is
that the session in one of them seems to be kept alive, so when I sign
off and sign in again with a different user, in this app the previous
session is still valid, and I'm logged in as the previous user. In fact,
to destroy the previous session, I must restart the browser and even
remove the cookies.
This happens only in some rare circunstamces, which I haven't been able
to reproduce. And, as it is a big security hole, I need to solve this
problem ASAP, but I don't know where to start. I have checked the server
and clients configurations and everything seems OK.
In this scenario, what could be the cause of this behaviour? Where
should I start looking? I don't know if the session invalidation via
SingleSignOutFilter is not working, or if CAS is caching the previous
authentication, or maybe it's neither.
Thanks in advance**
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
