> This happens because before generating new TGT, the old TGT is not expired > and sign-out signal is not sent to the services.
This happens because you never signed out of CAS as user X. When you explicitly sign out of CAS, it immediately destoys the TGT and sends the LogoutRequest to all services. Closing the tab is equivalent to the client disappearing, and the TGT is cleaned up asynchonously by the RegistryCleaner component some time in the future after the TGT expires according to the expiration policy in effect. I'm fairly certain the apparent impersonation effect you've described is entirely because your browser shares state across tabs, which is a known behavior of some browsers. If you MUST avoid this behavior, the user must do one of the following: - Log out of service X - Close browser (all tabs) If you SHOULD avoid this behavior, you can configure services for single sign-out and log out of CAS. It's vitally important to note that single sign-out is a best-effort strategy, and cannot be guaranteed due to a number of intrinsic factors. All of this is to say the behavior you described is expected. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
