Hmm, that would be very strange and very bad. That doesn't happen for us. The only additional step I take is a call to response.flushBuffer() after sendredirect(). Are you sure you have the first user logged in the second time around? In case you haven't, you should turn logs and watch CAS state that a ticket was issued for the user2 for service <whatever>.
________________________________ From: Ramakrishnan Iyer <[email protected]> To: Yale CAS mailing list <[email protected]> Sent: Friday, January 23, 2009 6:16:46 AM Subject: CAS Logout question Followup 2 Hi Ted: Yes, I am using Yale CAS client. I am login in to a webapp but not going to another webapp. I just logout and the second user, who is signing on to the same webapp through my machine, does get challenged. However, after the second user passes it, he/she is into the webapp but with my permissions. All indications are the user logged on to my webapp. I thought when I sign off session.invalidate(); response.sendRedirect("https://xxxx/logout";); and close the browser, the new user should not be on my session that was already invalidated and logged out of. Thanks for your suggestion. Sincerely Ram >>> tedzo <[email protected]> 1/23/2009 12:41 AM >>> Ram, I guess you are using the Yale CAS client. If that is so, I think the behavior you describe is how it works. You login to a webapp and navigate to another webapp unchallenged. Then you logout of second webapp successfully by dstroying thee session an redirecting to CAS logut url. However your session with the first webapp is still valid because no one destroyed that session. Hence, you will be able to simple navigate back to the first webapp unchallenged. Thats how it works for us. Thats also one of the reasons why we are moving to version 3 of the client which supports the single logout feature. Hope that helps. ________________________________ From: Ramakrishnan Iyer <[email protected]> To: Yale CAS mailing list <[email protected]> Sent: Thursday, January 22, 2009 11:46:20 AM Subject: Re: CAS Logout question Followup Bill: >Are you simply trying to log the user out of the Application? If so, >you need to invalidate the Application Session at the Application >layer. This is independent of CAS. If you also want to end the CAS SSO Session, then you redirect to CAS/logout after the Application Session is invalidated. Clear? In a general Enterprise SSO deployment, you would not redirect to CAS/logout, since this would defeat the purpose of SSO. >From your example, it sounds like may still have the first users Application Session active...which would be true if you only did a CAS/logout. session.invalidate(); response.sendRedirect("https://xxxx/logout";); In my app module, after a login, I check userId = (String)session.getAttribute("edu.yale.its.tp.cas.client.filter.user"); Although the first user signed off, and the second userid signed on, here it still brings back the first userid. Thanks Ram
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
