> Hi. I have two applications that authenticate users using CAS. I have > configured the single sign out in both of them, via > SingleSignOutHttpSessionListener and SingleSignOutFilter. The problem is > that the session in one of them seems to be kept alive... > This happens only in some rare circunstamces, which I haven't been able to > reproduce.
Is the problematic service load balanced? You have to take additional steps to ensure single sign-out in that case. > And, as it is a big security hole, I need to solve this problem > ASAP, but I don't know where to start. I would appreciate if you could clarify your reasoning for calling this situation a "big security hole." Based on what you've described, I don't see a big security hole. I believe it's well documented that single sign-out is a best effort feature that should not be relied upon to succeed in all cases. While it is possible to configure services to receive sign-out messages in all but a vanishingly few cases (e.g. network connectivity; CAS does not retry the sign-out message), relying on a feature that is subject to network vagaries is unwise from a security policy perspective. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
