Alright, I was completely wrong.
What I found was that in both Firefox 19.0 and Chrome 25.0.1364.97 on windows, if you set the appropriate option to reload the pages that you were on when you last closed your browser, then the cookies that are supposed to be deleted at "end of session" are not deleted. I found that this was true even if I killed the relevant tabs before closing the browser. If you set the options in either browser to start the browser with a blank page, then the cookies set to expire at "end of session" are not retained. I think that I'll be setting that option on my browsers now. Setting the cookie to secure did not make any difference (I didn not have them set with HttpOnly). I think that there is little or nothing that you can do about this on the server side. If the client decides not to discard a cookie when it is supposed to, then I don't see any reliable way for you to detect that on the server. Perhaps this would help in some cases: https://www.owasp.org/index.php/Session_Management#Associating_Session_Infor mation_with_SSL_information. I guess that in this envrionment, the best that you can do is to set tight idle-timeouts on sessions. Thanks for setting me straight. David Ohsie ASD Arch. and Advanced Dev. 410-929-2092 From: Danny Sinang [mailto:[email protected]] Sent: Friday, March 01, 2013 9:55 AM To: [email protected] Subject: Re: [cas-user] Public computer login and CAS The latest Firefox (v 19.0) on a mac. Regards, Danny On Fri, Mar 1, 2013 at 8:58 AM, Robert Oschwald <[email protected]> wrote: Are you using Firefox ? Then this bug might be of interest: https://bugzilla.mozilla.org/show_bug.cgi?id=443354#c48 Am 01.03.2013 um 14:53 schrieb "Ohsie, David" <[email protected]>: So I guess the next natural questions, based on the observations posted here are as follows: 1) If you close your browser and then reopen it, is the MoodleSession cookie still there, even though it is marked as "Expires: End of Session". 2) What browser and version is that? If the browser is going to hold on to session cookies even when it is closed, then I'm not sure what you can do. David Ohsie Software Architect EMC Corporation From: Danny Sinang [mailto:d.sinang@ <http://gmail.com> gmail.com] Sent: Friday, March 01, 2013 6:26 AM To: <mailto:[email protected]> [email protected] Subject: Re: [cas-user] Public computer login and CAS Hi David, No, I don't have "Remember Me" turned on. As for the cache control headers, I clicked on "View Page Info" while on my secure page (in Firefox) and this is what I saw : <image002.jpg> For the session cookie, here's what I saw : <image004.jpg> Regards, Danny On Thu, Feb 28, 2013 at 2:08 PM, Ohsie, David < <mailto:[email protected]> [email protected]> wrote: Do you have "Remember Me" turned on? If not, it is possible that either the session cookies from your site are persistent (with an an explicit Expires/MaxAge) or else the cache control headers are allowing some pages to remain withing the browser cache. From: Danny Sinang [mailto: <mailto:[email protected]> [email protected]] Sent: Thursday, February 28, 2013 12:55 PM To: <mailto:[email protected]> [email protected] Subject: [cas-user] Public computer login and CAS Hi, I noticed that closing and reopening my browser allows me to access protected webpages on my CASified site. This could be a problem if I logged in from a public computer (internet cafe, etc). Is there a way to secure against this ? Regards, Danny -- You are currently subscribed to <mailto:[email protected]> [email protected] as: <mailto:[email protected]> [email protected] To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to <mailto:[email protected]> [email protected] as: <mailto:[email protected]> [email protected] To unsubscribe, change settings or access archives, see <http://www.ja-sig.org/wiki/display/JSG/cas-user> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature
