Tom,
That's really weird. /cas/logout should have
1) read the TGT cookie from the browser
2) invalidated the TGT cookie server-side in CAS (this is the important
activity in /logout)
3) instructed the browser to delete the TGT cookie (this is cosmetic;
the important thing is to invalidate the cookie in the CAS server's
ticket registry)
So, to be clear, when you return to your application's login page,
you're saying it uses an iframe to /cas/login?service=yourApplication,
your browser sends the TGT to CAS, CAS redirects with an ST, your
application validates the ST and thereby logs the user back in?
Shot in the dark: are you accessing /cas/logout over http:// such that
CAS can't see the TGT cookie and so doesn't know what logged in session
to invalidate?
Something else to try: The thing your application's doing with an inline
frame sounds non-traditional. What's the behavior for a plain vanilla
redirect-using CASified application that doesn't inline frame anything?
Not saying the inline frames thing can't work, depending what it is,
just suggesting getting this down to the simplest possible example of
the misbehavior.
Also, CAS server logs at sufficient detail might be elucidating. I'd be
especially interested in the audit trail logging.
Kind regards,
Andrew
On 9/23/2011 4:12 AM, Tom wrote:
Hi,
When I log out of my application by unsetting my session in my local app, and redirecting
to the /logout page where CAS says "thanks for logging out, you should close your
browser", nothing really seems to happen with my cookies I find.
When I (in the same browser session) return to my app's login page (which has
an iframe to CAS), CAS immediately logs in again as if it were still authorized
(I've checked with fiddler, it sends the cookie value again, and it's accepted).
My question is: do I have to force the user to close the browser? Or is there
some configuration issue somewhere? Or something else I can investigate?
Cheers!
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
