Re: [Freeipa-users] unable to logout of IPA
On 09/08/2012 02:05 AM, Dmitri Pal wrote: On 07/27/2012 10:30 AM, Petr Spacek wrote: On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. Would it be possible to add login as another user functionality? I mean destroy session ignore any Kerberos tickets start form-based auth? IMHO it could be handy, at least for demonstration purposes. Please log a ticket. https://fedorahosted.org/freeipa/ticket/3064 Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On 07/27/2012 10:30 AM, Petr Spacek wrote: On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. Would it be possible to add login as another user functionality? I mean destroy session ignore any Kerberos tickets start form-based auth? IMHO it could be handy, at least for demonstration purposes. Please log a ticket. Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? Maybe you could try a different browser to see if logging out works. Thanks, Dan On Thu, Jul 26, 2012 at 9:39 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: So if i just click on logout, I should just logout as if i kdestroy'd? If so, when I do that why doesnt that cleanup occur? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Friday, 27 July 2012 4:01 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] unable to logout of IPA On Fri, 2012-07-27 at 03:14 +, Steven Jones wrote: When in IPA, when I click on the logout I expect to logout so I can login as another user, === Logged In As: steven jones | Logout === Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... So what do I need to do to flush? reboot my workstation? logout or manually run kdestroy Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. Would it be possible to add login as another user functionality? I mean destroy session ignore any Kerberos tickets start form-based auth? IMHO it could be handy, at least for demonstration purposes. Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] unable to logout of IPA
When in IPA, when I click on the logout I expect to logout so I can login as another user, === Logged In As: steven jones | Logout === Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... So what do I need to do to flush? reboot my workstation? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On Fri, 2012-07-27 at 03:14 +, Steven Jones wrote: When in IPA, when I click on the logout I expect to logout so I can login as another user, === Logged In As: steven jones | Logout === Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... So what do I need to do to flush? reboot my workstation? logout or manually run kdestroy Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
So if i just click on logout, I should just logout as if i kdestroy'd? If so, when I do that why doesnt that cleanup occur? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Friday, 27 July 2012 4:01 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] unable to logout of IPA On Fri, 2012-07-27 at 03:14 +, Steven Jones wrote: When in IPA, when I click on the logout I expect to logout so I can login as another user, === Logged In As: steven jones | Logout === Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... So what do I need to do to flush? reboot my workstation? logout or manually run kdestroy Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users