Hi guys, I have written a custom CAS client tag library (based on the original Yale CAS Java client) and it works great. (Thanks to the emails in the mailing list archive and the helpful documentation written about CAS clients).
Whenever a user visits a domain, my custom CAS client checks to see if the LOGIN_BEAN exists in the HTTP session. If it exists, the user is assumed to be logged in. If it does not, the client checks to see if there is a ticket associated with the request. If a ticket exists, the ticket is validated and LOGIN_BEAN added to the session. If the ticket does not exist or is invalid, the user is prompted with a login screen. HOWEVER, there is one single problem which I need some help on. When a user logs into domain A (which is one of the many domains that use CAS), I create a LOGIN_BEAN_A and add it to the HTTP Session associated with domain A. When the same user goes to domain B, the client detects that the ticket is still valid and creates LOGIN_BEAN_B and adds it to the HTTP Session assocated with domain B. In effect the user is logged into domain B without being to be prompted for the login screen. When the user logs out of domain A. I invalidate the session and kill the CAS authentication information (make the TGT invalid). However, the session associated with domain B still exists along with LOGIN_BEAN_B. When the user now visits domain B, it shows him as still logged in, since LOGIN_BEAN_B still exists in the session. I check for the ticket validity only when the LOGIN_BEAN does not exist in the session. How do I overcome this situation? Couple of options that immediately come to my mind are... 1) Should I implement session sharing across multiple domains? If so how do I do that? 2) Validate tickets for each request rather than relying on the LOGIN_BEAN in the session. Probably not an efficient way to do it, but would get it done. 3) Find a way to invalidate the user sessions across all the domains when the user logs out of any domain. Any other ideas? If not which of the above option should I opt for? Thank you all, Kristin _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
