Sessions stored in CAS are not keyed on user. They're keyed off their unique key (by design). Logging out merely destroys that particular CAS session (and if an application is Single Sign Out enabled, those applications too).
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Tue, Jan 20, 2009 at 7:19 PM, Pål Axelsson <[email protected]>wrote: > Hi again, > > The backend for CAS is handled of course in occasions as described and > application that support Single Sign Off is too few. A lot of them on the > other hand "recasifies" the user now and then to check that the session is > still valid. So what we want to do is to invalidate all sessions for a > specific user identity, together with an single sign off request for every > session. > > /Pål > > -----Ursprungligt meddelande----- > Från: [email protected] [mailto:[email protected]] För > William G. Thompson, Jr. > Skickat: den 20 januari 2009 19:54 > Till: Yale CAS mailing list > Ämne: Re: Invalidate all sessions for a user identity > > Pål, > > Can you be more specific regarding the "active sessions"? Are these > application sessions that have been created after a users has been > authenticated via CAS? > > If the credentials are known to be compromised (social engineering or > otherwise) you'd want to prevent further use of them, likely by > controlling them at the primary authentication source (LDAP, Kerberos, > etc). > > If you have deployed Single Sign Out, you could potentially customize > CAS with an administrative feature that would call out to active > application sessions and log off a specified user. Out of the box > this is not available. > > Bill > -- > William G. Thompson, Jr. > Senior Technologist - Development Information Systems > Office of Development, Princeton University > voice: 609.258.2655 | [email protected] > > > On Tue, Jan 20, 2009 at 10:08 AM, Pål Axelsson <[email protected]> > wrote: > > Hi, > > > > > > > > Our IRT team has come up with a question that I can't find the answer > for. > > > > > > > > Is't possible to invalidate all active sessions for a specific user > > identity? > > > > > > > > If one of our users account is hijacked for example y social engineering > we > > want to remove all active sessions for that user identity in a simple and > > controlled way. Is that possible? > > > > > > > > Pål Axelsson > > > > > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
