Ram, I guess you are using the Yale CAS client. If that is so, I think the behavior you describe is how it works. You login to a webapp and navigate to another webapp unchallenged. Then you logout of second webapp successfully by dstroying thee session an redirecting to CAS logut url. However your session with the first webapp is still valid because no one destroyed that session. Hence, you will be able to simple navigate back to the first webapp unchallenged. Thats how it works for us. Thats also one of the reasons why we are moving to version 3 of the client which supports the single logout feature.
Hope that helps. ________________________________ From: Ramakrishnan Iyer <[email protected]> To: Yale CAS mailing list <[email protected]> Sent: Thursday, January 22, 2009 11:46:20 AM Subject: Re: CAS Logout question Followup Bill: >Are you simply trying to log the user out of the Application? If so, >you need to invalidate the Application Session at the Application >layer. This is independent of CAS. If you also want to end the CAS SSO Session, then you redirect to CAS/logout after the Application Session is invalidated. Clear? In a general Enterprise SSO deployment, you would not redirect to CAS/logout, since this would defeat the purpose of SSO. >From your example, it sounds like may still have the first users Application Session active...which would be true if you only did a CAS/logout. session.invalidate(); response.sendRedirect("https://xxxx/logout";); In my app module, after a login, I check userId = (String)session.getAttribute("edu.yale.its.tp.cas.client.filter.user"); Although the first user signed off, and the second userid signed on, here it still brings back the first userid. Thanks Ram
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
