This comment in that thread looks very relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=443354#c57
From: Robert Oschwald [mailto:[email protected]] Sent: Friday, March 01, 2013 8:58 AM To: [email protected] Subject: Re: [cas-user] Public computer login and CAS Are you using Firefox ? Then this bug might be of interest: https://bugzilla.mozilla.org/show_bug.cgi?id=443354#c48 Am 01.03.2013 um 14:53 schrieb "Ohsie, David" <[email protected]>: So I guess the next natural questions, based on the observations posted here are as follows: 1) If you close your browser and then reopen it, is the MoodleSession cookie still there, even though it is marked as "Expires: End of Session". 2) What browser and version is that? If the browser is going to hold on to session cookies even when it is closed, then I'm not sure what you can do. David Ohsie Software Architect EMC Corporation From: Danny Sinang [mailto:d.sinang@ <http://gmail.com> gmail.com] Sent: Friday, March 01, 2013 6:26 AM To: <mailto:[email protected]> [email protected] Subject: Re: [cas-user] Public computer login and CAS Hi David, No, I don't have "Remember Me" turned on. As for the cache control headers, I clicked on "View Page Info" while on my secure page (in Firefox) and this is what I saw : <image002.jpg> For the session cookie, here's what I saw : <image004.jpg> Regards, Danny On Thu, Feb 28, 2013 at 2:08 PM, Ohsie, David < <mailto:[email protected]> [email protected]> wrote: Do you have "Remember Me" turned on? If not, it is possible that either the session cookies from your site are persistent (with an an explicit Expires/MaxAge) or else the cache control headers are allowing some pages to remain withing the browser cache. From: Danny Sinang [mailto: <mailto:[email protected]> [email protected]] Sent: Thursday, February 28, 2013 12:55 PM To: <mailto:[email protected]> [email protected] Subject: [cas-user] Public computer login and CAS Hi, I noticed that closing and reopening my browser allows me to access protected webpages on my CASified site. This could be a problem if I logged in from a public computer (internet cafe, etc). Is there a way to secure against this ? Regards, Danny -- You are currently subscribed to <mailto:[email protected]> [email protected] as: <mailto:[email protected]> [email protected] To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to <mailto:[email protected]> [email protected] as: <mailto:[email protected]> [email protected] To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature
