On Wed, Jan 21, 2009 at 3:56 PM, Ramakrishnan Iyer <[email protected]> wrote:
> Hello:
Hi Ram,
>
> I read that it is possible to log out of CAS programmatically by having the
> following line in my logout method
>
> response.sendRedirect("https://<xxxx.edu>/cas/logout");
If the browser is successfully redirected to this URL it will end the
CAS SSO session, presuming there is already one established for that
browser session.
>
> However, this is not secure, I am told, and I am advised to close the
> browser.
The CAS SSO session is mediated by a browser session cookie set by the
CAS server. The surest way to end the SSO session is by closing the
browser and destroying the cookie.
>
> However, I find that, despite closing the browser, a different user could
> still open a new browser on my PC, and sign in, but the person has all the
> privileges/access I had. It is almost as if the CAS server has me recorded
> as logged in and I may have to wait for the cookie-tickets to expire.
I'm not sure I follow this. Is the second user being challenged for
credentials?
> I am assuming the CAS Server web.xml controls the application timeout. I, as
> an application, cannot programmatically set the maxAge of cookies. CAS
> Server is in charge of cookie-tickets and the application server (that is my
> server) never touches this information. Is this the way this works or am I
> doing something wrong? Can I change the maxAge of all cookies to zero before
> calling logout. I tried but it is not working. (and I did not expect it to
> because of the independence of the app server from the CAS server)
CAS SSO Session and Application Session are independent. Once you
have established a session with your application CAS is out of the
picture. How is your application maintaining session state?
>
> Any pointers? Maybe, this is the way it is supposed to work and the
> applications are not supposed to log out?
You have to think of the CAS SSO Session and the Application Sessions
as distinct things. It if fine for an Application to log out a user
from its specific session. If the user still has an SSO Session they
could login again without a credential challenge.
It is also fine for an Application to explicitly end a CAS SSO by
redirecting a user to CAS/logout. It really depends on the behavior
you're trying to achieve. In a general CAS SSO setup, you probably
would never redirect the user to CAS/logout.
Bill
>
> Thanks
> Ram Iyer
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
