On Mon, 8 Jul 2013, Trenton D. Adams wrote:
For security reasons, please Log Out and Exit your web browser when you are
done accessing services that require authentication!
The above security message is no longer useful, and gives users a false sense
of security. Closing your browser will no longer remove the cookie.
Unfortunately, browser developers thought it useful to make closing of the
browser not constitute "end of session" anymore. I do not know why they did
this. I thought the cookie spec was very specific about that, but it's been
so long since I looked at it.
Does anyone know of a way of making browsers honour what we all once held
dear?
It was suggested on the shib-users mailing list that we should change
cookie expiration policies from "expires at end of session" to "expires at
time XYZ". At least browsers will honor a time-based expiration, for now!
The only obvious problem is time being out of sync on client computers.
Andy
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
