Hi Thai, Thanks for the detailed scenarios. When you post another response to the ACS URL, it's suppose to invalidate any existing sessions and create a new session. From what you described it sounds like that's not happening (without the IFRAME logout). I haven't been able to reproduce this behavior.
Is there any chance the login form or the ACS form was cached by the browser? Btw, we've had reports from other admins that using an IFRAME doesn't set (or clear) cookies in Internet Explorer due to lack of P3P support. Here's an earlier thread on this topic: http://groups.google.com/group/google-apps-apis/browse_thread/thread/92a93353c19239c4 -alex On Jul 2, 12:53 pm, thai <[EMAIL PROTECTED]> wrote: > Hi there, > > If I read it correctly, the problem is not about the PHP code but it's > about usability. > > > 1. User logins to [EMAIL PROTECTED] and goes to its mailbox > > 2. User doesn't press signout button and returns back to login page > > 3. User logins to [EMAIL PROTECTED] and goes to its mailbox > > 4. User again doesn't press signout button and returns back to login > > page > > 5. (!!!) And now user try to login to somebody else's mailbox > > [EMAIL PROTECTED] with any password and he logins successfuly to the > > mailbox he doesn't own! > > The #2 stated that the user did not press the signout button. This is > where the problem occurred. > It's the cookies that still active. > > I ran into the same problem but I have only one domain. > 1. user logged in as [EMAIL PROTECTED] and went to mailbox. > 2. user DIDN'T press the signout button and go back to the login page. > 3. user logged in as [EMAIL PROTECTED] using the same browser (and the > browser has NOT been close and re-open) and get a's mailbox. > > Same scenario as above but at step #2, user quit (exit, close) the > browser and re-open the browser in step #3: user will get b's mailbox. > > it's the cookies!!! > > I resolve the problem (not very elegant but it works) by put in logout > URL in the login page. > <iframe src="https://mail.google.com/a/your.domain.here/? > logout&hl=en"></iframe> > > Hope this help! > > Thai Nguyen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
