Hello:
I read that it is possible to log out of CAS programmatically by having
the following line in my logout method
response.sendRedirect("<A
href="https://https://<xxxx.edu>/cas/logout");
However, this is not secure, I am told, and I am advised to close the
browser.
However, I find that, despite closing the browser, a different user
could still open a new browser on my PC, and sign in, but the person has
all the privileges/access I had. It is almost as if the CAS server has
me recorded as logged in and I may have to wait for the cookie-tickets
to expire.
I am assuming the CAS Server web.xml controls the application timeout.
I, as an application, cannot programmatically set the maxAge of cookies.
CAS Server is in charge of cookie-tickets and the application server
(that is my server) never touches this information. Is this the way this
works or am I doing something wrong? Can I change the maxAge of all
cookies to zero before calling logout. I tried but it is not working.
(and I did not expect it to because of the independence of the app
server from the CAS server)
Any pointers? Maybe, this is the way it is supposed to work and the
applications are not supposed to log out?
Thanks
Ram Iyer
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
