On 09/08/2012 02:05 AM, Dmitri Pal wrote:
On 07/27/2012 10:30 AM, Petr Spacek wrote:
On 07/27/2012 03:28 PM, John Dennis wrote:
On 07/27/2012 02:06 AM, Dan Scott wrote:
Hi,

I'm not sure if this is relevant, but Firefox preserves session
cookies across browser restarts. This was discussed on the Security
Now! podcast recently:

http://www.grc.com/sn/sn-360.htm

Search for 'sessionstore' and read a little before and after.

Are session cookies relevant for kerberos authentication?

It's only tangentially relevant. IPA does use session cookies. IPA
logout
destroys the session on the server making the session cookie stored
in the
browser invalid.

However, SSO (Single Sign-On) continues to work as it's supposed to.
As long
as you have valid credentials in your kerberos cache you'll be
automatically
logged in (albeit with a brand new session and session cookie). All
this is by
design.

You can logout of IPA which destroys your session, but unless you
also destroy
your credentials the automatic SSO process will be applied the next
time you
visit the web UI.


Would it be possible to add "login as another user" functionality? I
mean "destroy session && ignore any Kerberos tickets && start
form-based auth"?

IMHO it could be handy, at least for demonstration purposes.


Please log a ticket.

https://fedorahosted.org/freeipa/ticket/3064

Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to