I believe this is a well-known issue. Modern browsers take liberties with their interpretation of the duration of session-scoped cookies, such that merely closing the web browser is no longer sufficient.
Users need to either explicitly log out of CAS to end their single sign-on session and out of your application to end their session with your application, or explicitly log out of their operating system desktop session to prevent others from accessing it. The latter is far preferable. You can try to make explicit logout from CAS have a side effect of single logout callbacks to your application to also log the user out of the application, but this doesn't address the root issue of there being a window of time within which the end user has valid session cookies that the browser did not clean up on browser close such that re-opening the browser can resurrect them. Known shared browser installs can and should be configured to implement a tighter understanding of what a session cookie's duration ought to be. To the extent that you're curating browser installs for, say, known-shared computers in computer labs on a campus, those browser installs should be so configured. Internet cafe purveyors ought to do this. Most probably don't. Then again, I just assume that all Internet cafe computers are equipped with at least one malware keystroke logger. [1] Otherwise, end users really really should be afforded the opportunity to fully log out of their operating system sessions, and should do so when leaving a shared computer. [1]: A quick Google search suggests I'm not far off -- four out of ten internet cafes providing keystroke loggers with their lattes in this one study. http://www.jiti.net/v11/jiti.v11n3.169-182.pdf On Thu, Feb 28, 2013 at 2:08 PM, Ohsie, David <[email protected]> wrote: > Do you have "Remember Me" turned on?**** > > ** ** > > If not, it is possible that either the session cookies from your site are > persistent (with an an explicit Expires/MaxAge) or else the cache control > headers are allowing some pages to remain withing the browser cache.**** > > ** ** > > *From:* Danny Sinang [mailto:[email protected]] > *Sent:* Thursday, February 28, 2013 12:55 PM > *To:* [email protected] > *Subject:* [cas-user] Public computer login and CAS**** > > ** ** > > Hi,**** > > ** ** > > I noticed that closing and reopening my browser allows me to access > protected webpages on my CASified site.**** > > ** ** > > This could be a problem if I logged in from a public computer (internet > cafe, etc).**** > > ** ** > > Is there a way to secure against this ?**** > > ** ** > > Regards, > Danny**** > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user**** > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
