OK, we think we found the problem. It wasn't a technical issue, but a
logical one.
As I said, we have two applications that authenticate against CAS. In
the future, there'll be another one. One of them was thought of as the
entry point to the others, and it has nothing but links to the other two
apps, enabled or not depending on user permissions. The single sign out
is also performed on this entry point app (it has the disconnect link
that points to /cas/logout), and the other apps just have an exit button
that links to the entry point app and doesn't invalidate sessions.
So, the situation was this: a user (foo) was logging in in the entry
point app, and then clicked on one of the links to access one of the
other apps (app 1). That user kept working on app 1, but eventually, his
session on the entry point app would expire, and so his CAS ticket. If
the user clicked on the exit button on app 1, he would be redirected to
the entry point app, where he would log in again, this time as another
user (bar). Then, when he accessed app 1 again, he would appear as user
foo instead of bar, but that's because his session on app 1 as foo never
expired and it was never explicitly invalidated.
We've just found the problem and now it's time to think about the
solution. Has anyone faced this problem?
Thanks.
El 25/03/2010 17:17, Diego Manilla Suárez escribió:
Hi. I have two applications that authenticate users using CAS. I have
configured the single sign out in both of them, via
SingleSignOutHttpSessionListener and SingleSignOutFilter. The problem
is that the session in one of them seems to be kept alive, so when I
sign off and sign in again with a different user, in this app the
previous session is still valid, and I'm logged in as the previous
user. In fact, to destroy the previous session, I must restart the
browser and even remove the cookies.
This happens only in some rare circunstamces, which I haven't been
able to reproduce. And, as it is a big security hole, I need to solve
this problem ASAP, but I don't know where to start. I have checked the
server and clients configurations and everything seems OK.
In this scenario, what could be the cause of this behaviour? Where
should I start looking? I don't know if the session invalidation via
SingleSignOutFilter is not working, or if CAS is caching the previous
authentication, or maybe it's neither.
Thanks in advance**
**
* ***
****
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
