Hi, Marvin, thanks for your reply. El 25/03/2010 17:45, Marvin Addison escribió:
Is the problematic service load balanced? You have to take additional steps to ensure single sign-out in that case.
No, it isn't.
I would appreciate if you could clarify your reasoning for calling this situation a "big security hole." Based on what you've described, I don't see a big security hole. I believe it's well documented that single sign-out is a best effort feature that should not be relied upon to succeed in all cases. While it is possible to configure services to receive sign-out messages in all but a vanishingly few cases (e.g. network connectivity; CAS does not retry the sign-out message), relying on a feature that is subject to network vagaries is unwise from a security policy perspective.
Well, it's a security issue for us since a user could log in as the previous user. I don't think it's a network issue, since both apps and CAS are all on the same host, so I think it could be a configuration problem of some sort.
**** Regards, Diego. **** -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
