Thanks Alex for clarification! I didn't know that another post to ACS URL would invalidate existing sessions and create a new session.
If that's the case then my problem is in my code. I will double check! Thanks On Jul 2, 4:58 pm, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > Hi Thai, > > Thanks for the detailed scenarios. When you post another response to > the ACS URL, it's suppose to invalidate any existing sessions and > create a new session. From what you described it sounds like that's > not happening (without the IFRAME logout). I haven't been able to > reproduce this behavior. > > Is there any chance the login form or the ACS form was cached by the > browser? > > Btw, we've had reports from other admins that using an IFRAME doesn't > set (or clear) cookies in Internet Explorer due to lack of P3P > support. Here's an earlier thread on this topic: > > http://groups.google.com/group/google-apps-apis/browse_thread/thread/... > > -alex > > On Jul 2, 12:53 pm, thai <[EMAIL PROTECTED]> wrote: > > > Hi there, > > > If I read it correctly, the problem is not about the PHP code but it's > > about usability. > > > > 1. User logins to [EMAIL PROTECTED] and goes to its mailbox > > > 2. User doesn't press signout button and returns back to login page > > > 3. User logins to [EMAIL PROTECTED] and goes to its mailbox > > > 4. User again doesn't press signout button and returns back to login > > > page > > > 5. (!!!) And now user try to login to somebody else's mailbox > > > [EMAIL PROTECTED] with any password and he logins successfuly to the > > > mailbox he doesn't own! > > > The #2 stated that the user did not press the signout button. This is > > where the problem occurred. > > It's the cookies that still active. > > > I ran into the same problem but I have only one domain. > > 1. user logged in as [EMAIL PROTECTED] and went to mailbox. > > 2. user DIDN'T press the signout button and go back to the login page. > > 3. user logged in as [EMAIL PROTECTED] using the same browser (and the > > browser has NOT been close and re-open) and get a's mailbox. > > > Same scenario as above but at step #2, user quit (exit, close) the > > browser and re-open the browser in step #3: user will get b's mailbox. > > > it's the cookies!!! > > > I resolve the problem (not very elegant but it works) by put in logout > > URL in the login page. > > <iframe src="https://mail.google.com/a/your.domain.here/? > > logout&hl=en"></iframe> > > > Hope this help! > > > Thai Nguyen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
