> it's a security issue for us since a user could log in as the previous > user.
Only if they're using the same browser since both CAS application state and application session state is based on cookies. Is this a kiosk environment? The best practice has been and continues to be closing the browser when finished with an SSO session. I realize that modern browsers that keep components memory-resident takes away from this recommendation, but it's the best we have. > I don't think it's a network issue, since both apps and CAS are all on > the same host, so I think it could be a configuration problem of some sort. I would recommend you turn up the logging on both the CAS server and troublesome application to ensure that CAS is sending the LogoutRequest and that it is being received by the application. There is a very prominent message (WARN) I believe if the CAS server has connection problems sending the message. It will also be logged on the client if you're using the Jasig Java CAS client. I believe other CAS clients log it as well. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
